suricata-daily-git-test

suricata-daily-git-test:master-6.0.x

Last commit made on 2024-04-23

Get this branch:: git clone -b master-6.0.x https://git.launchpad.net/suricata-daily-git-test

Branch merges

Branch information

Name:: master-6.0.x

Repository:: lp:suricata-daily-git-test

Recent commits

282423f... by Shivani Bhardwaj <email address hidden> on 2024-04-23

version: start development towards 6.0.20

d5f5ca0... by Shivani Bhardwaj <email address hidden> on 2024-04-23

release: 6.0.19; update changelog

cb823d4... by Victor Julien <email address hidden> on 2024-04-22

http2: fix for rustc 1.41.1

Co-authored-by: Philippe Antoine <email address hidden>

d24b37a... by Philippe Antoine <email address hidden> on 2024-03-28

http2: do not log duplicate headers

Ticket: 6900

And thus avoid DOS by logging a request using a compressed
header block repeated many times and having a long value...

(cherry picked from commit 03442c9071b8d863d26b609d54c6eacf4de9e340)

08d93f7... by Philippe Antoine <email address hidden> on 2024-03-27

http2: use a reference counter for headers

Ticket: 6892

As HTTP hpack header compression allows one single byte to
express a previously seen arbitrary-size header block (name+value)
we should avoid to copy the vectors data, but just point
to the same data, while reamining memory safe, even in the case
of later headers eviction from the dybnamic table.

Rust std solution is Rc, and the use of clone, so long as the
data is accessed by only one thread.

(cherry picked from commit 390f09692eb99809c679d3f350c7cc185d163e1a)

1099eec... by Philippe Antoine <email address hidden> on 2024-03-24

detect/parse: set limits for pcre2

Ticket: 6889

To avoid regexp dos with too much backtracking.
This is already done on pcre keyword, and pcrexform transform.
We use the same default limits for rules parsing.

(cherry picked from commit 316cc528f784c86339d05907a4d6084cbe4d44e6)

Using pcre1 in master6

d5ffecf... by Philippe Antoine <email address hidden> on 2024-03-28

util/base64: fix buffer overflow

Ticket: 6902

In case the caller of DecodeBase64 does not supply a big enough
output buffer.

(cherry picked from commit fd47e67dc65f9111895c88fb406c938b1f857325)

d13bd2a... by Jason Ish <email address hidden> on 2024-01-12

defrag: fix check for complete packet

The list of fragments may still contain overlaps, so adding up the
fragment lengths is flawed. Instead track the largest size of
contiguous data that can be re-assembled.

Bug: #6675
(cherry picked from commit d226d0a3fce8837936e1bdfaee496c80d417e0a5)

414f97c... by Jason Ish <email address hidden> on 2023-12-07

defrag: fix subsequent overlap of start of original (bsd)

Fix the BSD policy case where a subsequent fragment starts before an
original fragment and overlaps the beginning of the original
fragment. In this case the overlapping data from the new fragment is
preferred.

Suricata was preferring the data from the original fragment, but it
should only do that when the original fragment has an offset <= to the
new fragment.

- Adds tests for this case

Bug: #6669
(cherry picked from commit f1709ea551124e1a64fdc509993ad022ab27aa77)

bf3d420... by Jason Ish <email address hidden> on 2023-11-28

defrag: check next fragment for overlap before stopping re-assembly

Instead of breaking the loop when the current fragment does not have
any more fragments, set a flag and continue to the next fragment as
the next fragment may have data that occurs before this fragment, but
overlaps it.

Then break if the next fragment does not overlap the previous.

Bug: #6668
(cherry picked from commit d0fd0782505d837e691ceef1b801776f0db82726)