Project

General

Profile

Actions

Bug #5409

closed

PCRE: use match and recursion limit for pcrexform

Added by Philippe Antoine 3 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport, Needs backport to 6.0

Description

cf https://www.regular-expressions.info/catastrophic.html

As found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44742&q=label%3AProj-suricata&can=2

which basically ends up to

#include <pcre2.h>
#include <stdio.h>

int main(int argc, char **argv) {
    int en;
    PCRE2_SIZE eo;
    pcre2_code *regex = pcre2_compile((PCRE2_SPTR8)"[a-wA-Z]+\\S+.*\\s+HTTP", PCRE2_ZERO_TERMINATED, 0, &en, &eo, NULL);
    pcre2_match_data *match = pcre2_match_data_create_from_pattern(regex, NULL);
    uint8_t * input= "<horoscope><rssversion=\"2.0\"xmlns:a=\"http://schemas.microsoft.com/msn/targeting/recommend\"xmlns:msn=\"http://www.msn.com\"><channel><title>Horoscope</title><item><title>Aries</title><description>Thisisyourluckyday,Aries,andyoucanexpectallsortsofwonderfulsurprises.Youmayenjoyafinancialsurpriseorsomeonecouldproposeaninterestingandpotentiallylucrative...</description><msn:image><msn:title>Aries</msn:title><msn:link>http://a.sc.msn.com/c/my/horoscope/ari.jpg</msn:link></msn:image><msn:daterange>March20-April18</msn:daterange></item><description>ProvidedbyAstrocenter.com</description></channel></rss><ad></ad></horoscope>";
    size_t input_len = 621;
    printf("start\n");
    pcre2_match(regex, (PCRE2_SPTR8)input, input_len, 0, 0, match, NULL);
    printf("end\n");
    return 0;
}

which takes 3 seconds to run the match

rule is alert tcp any any -> any any (file.data; strip_whitespace; pcrexform:"[a-wA-Z]+\S+(.*)\s+HTTP"; content:"/z4>0m"; endswith; sid:124;)


Subtasks 1 (0 open1 closed)

Bug #5414: PCRE: use match and recursion limit for pcrexform (6.0.x backport)ClosedVictor JulienActions

Related issues 1 (0 open1 closed)

Copied to Bug #5414: PCRE: use match and recursion limit for pcrexform (6.0.x backport)ClosedVictor JulienActions
Actions #1

Updated by Philippe Antoine 3 months ago

  • Tracker changed from Feature to Bug
  • Subject changed from PCRE: detect potential catastrophic backtracking to PCRE: use match and recursion limit for pcrexform
  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version changed from TBD to 7.0rc1
  • Label Needs backport, Needs backport to 6.0 added
  • Affected Versions 6.0.5 added
Actions #2

Updated by Philippe Antoine 3 months ago

  • Status changed from New to Resolved
Actions #3

Updated by Philippe Antoine 3 months ago

  • Status changed from Resolved to In Review
Actions #4

Updated by Philippe Antoine 3 months ago

  • Copied to Bug #5414: PCRE: use match and recursion limit for pcrexform (6.0.x backport) added
Actions #5

Updated by Philippe Antoine 3 months ago

  • Status changed from In Review to Resolved
Actions #6

Updated by Victor Julien 3 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF