diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml index 99727a15d9d8..177a900db2bb 100644 --- a/.github/workflows/builds.yml +++ b/.github/workflows/builds.yml @@ -38,11 +38,6 @@ jobs: name: Prepare dependencies runs-on: ubuntu-latest steps: - - name: Cache ~/.cargo - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 - with: - path: ~/.cargo - key: cargo - run: sudo apt update && sudo apt -y install jq curl - name: Parse repo and branch information env: @@ -126,7 +121,7 @@ jobs: uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: path: ~/.cargo - key: cbindgen + key: ${{ github.job }}-cargo - name: Installing Rust run: | curl https://sh.rustup.rs -sSf | sh -s -- -y @@ -152,8 +147,15 @@ jobs: - name: Cache cargo registry uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: - path: ~/.cargo/registry - key: cargo-registry + path: ~/.cargo + key: ${{ github.job }}-cargo + + - name: Cache RPMs + uses: actions/cache@v3 + with: + path: /var/cache/dnf + key: ${{ github.job }}-dnf + - run: echo "keepcache=1" >> /etc/dnf/dnf.conf - uses: actions/checkout@v3.1.0 @@ -260,8 +262,15 @@ jobs: - name: Cache cargo registry uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: - path: ~/.cargo/registry - key: cargo-registry + path: ~/.cargo + key: ${{ github.job }}-cargo + + - name: Cache RPMs + uses: actions/cache@v3 + with: + path: /var/cache/dnf + key: ${{ github.job }}-dnf + - run: echo "keepcache=1" >> /etc/dnf/dnf.conf - uses: actions/checkout@v3.1.0 @@ -380,6 +389,19 @@ jobs: container: centos:7 needs: [prepare-deps, alma-8] steps: + - name: Cache ~/.cargo + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 + with: + path: ~/.cargo + key: ${{ github.job }}-cargo + + - name: Cache RPMs + uses: actions/cache@v3 + with: + path: /var/cache/yum + key: ${{ github.job }}-yum + - run: echo "keepcache=1" >> /etc/yum.conf + - name: Install system dependencies run: | yum -y install epel-release @@ -451,8 +473,15 @@ jobs: - name: Cache cargo registry uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: - path: ~/.cargo/registry - key: cargo-registry + path: ~/.cargo + key: ${{ github.job }}-cargo + + - name: Cache RPMs + uses: actions/cache@v3 + with: + path: /var/cache/dnf + key: ${{ github.job }}-dnf + - run: echo "keepcache=1" >> /etc/dnf/dnf.conf - run: | dnf -y install \ @@ -541,8 +570,15 @@ jobs: - name: Cache cargo registry uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: - path: ~/.cargo/registry - key: cargo-registry + path: ~/.cargo + key: ${{ github.job }}-cargo + + - name: Cache RPMs + uses: actions/cache@v3 + with: + path: /var/cache/dnf + key: ${{ github.job }}-dnf + - run: echo "keepcache=1" >> /etc/dnf/dnf.conf - run: | dnf -y install \ @@ -635,8 +671,15 @@ jobs: - name: Cache cargo registry uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: - path: ~/.cargo/registry - key: cargo-registry + path: ~/.cargo + key: ${{ github.job }}-cargo + + - name: Cache RPMs + uses: actions/cache@v3 + with: + path: /var/cache/dnf + key: ${{ github.job }}-dnf + - run: echo "keepcache=1" >> /etc/dnf/dnf.conf - run: | dnf -y install \ @@ -726,8 +769,15 @@ jobs: - name: Cache cargo registry uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: - path: ~/.cargo/registry - key: cargo-registry + path: ~/.cargo + key: ${{ github.job }}-cargo + + - name: Cache RPMs + uses: actions/cache@v3 + with: + path: /var/cache/dnf + key: ${{ github.job }}-dnf + - run: echo "keepcache=1" >> /etc/dnf/dnf.conf - run: | dnf -y install \ @@ -789,6 +839,11 @@ jobs: container: ubuntu:22.04 needs: [prepare-deps, prepare-cbindgen] steps: + - name: Cache ~/.cargo + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 + with: + path: ~/.cargo + key: ${{ github.job }}-cargo - name: Install dependencies run: | apt update @@ -901,6 +956,11 @@ jobs: container: ubuntu:22.04 needs: [prepare-deps, prepare-cbindgen] steps: + - name: Cache ~/.cargo + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 + with: + path: ~/.cargo + key: ${{ github.job }}-cargo - name: Install dependencies run: | apt update @@ -969,7 +1029,7 @@ jobs: CC: "clang-14" CXX: "clang++-14" RUSTFLAGS: "-C instrument-coverage" - CFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0 -g -fno-strict-aliasing -fsanitize=address -fno-omit-frame-pointer -fPIC -Wno-unused-parameter -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -Wimplicit-int-float-conversion -Wimplicit-int-conversion" + CFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0 -g -fno-strict-aliasing -fsanitize=address -fno-omit-frame-pointer -fPIC -Wno-unused-parameter -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -Wimplicit-int-float-conversion -Wimplicit-int-conversion -Werror" CXXFLAGS: "-fprofile-instr-generate -fcoverage-mapping -O0 -g -fno-strict-aliasing -fsanitize=address -fno-omit-frame-pointer -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -stdlib=libc++ -Wimplicit-int-float-conversion -Wimplicit-int-conversion" ac_cv_func_malloc_0_nonnull: "yes" ac_cv_func_realloc_0_nonnull: "yes" @@ -993,6 +1053,11 @@ jobs: container: ubuntu:20.04 needs: [prepare-deps, prepare-cbindgen] steps: + - name: Cache ~/.cargo + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 + with: + path: ~/.cargo + key: ${{ github.job }}-cargo - name: Install dependencies run: | @@ -1077,6 +1142,11 @@ jobs: container: ubuntu:20.04 needs: alma-8 steps: + - name: Cache ~/.cargo + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 + with: + path: ~/.cargo + key: ${{ github.job }}-cargo - name: Install dependencies run: | apt update @@ -1135,8 +1205,8 @@ jobs: - name: Cache cargo registry uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: - path: ~/.cargo/registry - key: cargo-registry + path: ~/.cargo + key: ${{ github.job }}-cargo - name: Install dependencies run: | @@ -1207,8 +1277,8 @@ jobs: - name: Cache cargo registry uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: - path: ~/.cargo/registry - key: cargo-registry + path: ~/.cargo + key: ${{ github.job }}-cargo - name: Install dependencies run: | @@ -1302,8 +1372,8 @@ jobs: - name: Cache cargo registry uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: - path: ~/.cargo/registry - key: cargo-registry + path: ~/.cargo + key: ${{ github.job }}-cargo - name: Install dependencies run: | @@ -1365,8 +1435,8 @@ jobs: - name: Cache cargo registry uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: - path: ~/.cargo/registry - key: cargo-registry + path: ~/.cargo + key: ${{ github.job }}-cargo - run: | apt update @@ -1435,6 +1505,11 @@ jobs: container: debian:9 needs: [prepare-deps, prepare-cbindgen] steps: + - name: Cache ~/.cargo + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 + with: + path: ~/.cargo + key: ${{ github.job }}-cargo - run: | apt update apt -y install \ @@ -1503,8 +1578,8 @@ jobs: - name: Cache cargo registry uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 with: - path: ~/.cargo/registry - key: cargo-registry + path: ~/.cargo + key: ${{ github.job }}-cargo - run: | brew install \ autoconf \ @@ -1523,7 +1598,7 @@ jobs: rust \ xz - name: Install cbindgen - run: cargo install --force --debug --version 0.24.3 cbindgen + run: cargo install --debug --version 0.24.3 cbindgen - run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH - run: pip3 install PyYAML - uses: actions/checkout@v3.1.0 @@ -1554,6 +1629,11 @@ jobs: run: shell: msys2 {0} steps: + - name: Cache ~/.cargo + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 + with: + path: ~/.cargo + key: ${{ github.job }}-cargo - uses: actions/checkout@v3.1.0 - uses: msys2/setup-msys2@fa138fa56e2558760b9f2205135313c7345c5f3f with: @@ -1605,6 +1685,11 @@ jobs: run: shell: msys2 {0} steps: + - name: Cache ~/.cargo + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 + with: + path: ~/.cargo + key: ${{ github.job }}-cargo - uses: actions/checkout@v3.1.0 - uses: msys2/setup-msys2@v2 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d4c8a0ac9243..e504a43baede 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -17,7 +17,6 @@ jobs: permissions: actions: read contents: read - packages: write security-events: write diff --git a/rust/src/http2/decompression.rs b/rust/src/http2/decompression.rs index df94d20690a3..9356834f2dd6 100644 --- a/rust/src/http2/decompression.rs +++ b/rust/src/http2/decompression.rs @@ -50,6 +50,11 @@ impl HTTP2cursor { pub fn set_position(&mut self, pos: u64) { return self.cursor.set_position(pos); } + + pub fn clear(&mut self) { + self.cursor.get_mut().clear(); + self.cursor.set_position(0); + } } // we need to implement this as flate2 and brotli crates @@ -156,8 +161,7 @@ fn http2_decompress<'a>( } } //brotli does not consume all input if it reaches some end - - decoder.get_mut().set_position(0); + decoder.get_mut().clear(); return Ok(&output[..offset]); } diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs index 404081c94ce2..3a6ffab7ec36 100644 --- a/rust/src/http2/http2.rs +++ b/rust/src/http2/http2.rs @@ -933,6 +933,7 @@ impl HTTP2State { let over = head.flags & parser::HTTP2_FLAG_HEADER_EOS != 0; let ftype = head.ftype; let sid = head.stream_id; + let padded = head.flags & parser::HTTP2_FLAG_HEADER_PADDED != 0; if dir == Direction::ToServer { tx.frames_ts.push(HTTP2Frame { header: head, @@ -956,9 +957,12 @@ impl HTTP2State { } else { tx_same.ft_ts.tx_id = tx_same.tx_id - 1; }; - + let mut dinput = &rem[..hlsafe]; + if padded && rem.len() > 0 && usize::from(rem[0]) < hlsafe{ + dinput = &rem[1..hlsafe - usize::from(rem[0])]; + } match tx_same.decompress( - &rem[..hlsafe], + dinput, dir, sfcm, over, diff --git a/rust/src/http2/parser.rs b/rust/src/http2/parser.rs index 90b7ba639404..6c16d8762f06 100644 --- a/rust/src/http2/parser.rs +++ b/rust/src/http2/parser.rs @@ -585,7 +585,7 @@ pub struct HTTP2FrameHeaders { //end stream pub const HTTP2_FLAG_HEADER_EOS: u8 = 0x1; pub const HTTP2_FLAG_HEADER_END_HEADERS: u8 = 0x4; -const HTTP2_FLAG_HEADER_PADDED: u8 = 0x8; +pub const HTTP2_FLAG_HEADER_PADDED: u8 = 0x8; const HTTP2_FLAG_HEADER_PRIORITY: u8 = 0x20; fn http2_parse_headers_blocks<'a>( diff --git a/src/detect-engine-address.c b/src/detect-engine-address.c index 4d5bc434f0b5..ee54b907228f 100644 --- a/src/detect-engine-address.c +++ b/src/detect-engine-address.c @@ -462,7 +462,7 @@ static int DetectAddressParseString(DetectAddress *dd, const char *str) if (cidr < 0) { SCLogError(SC_ERR_INVALID_SIGNATURE, "netmask \"%s\" is not usable. Only netmasks that are compatible with " - "CIDR notation are supported. See #5168.", + "CIDR notation are supported. See ticket #5168.", mask); goto error; } diff --git a/src/output-json-stats.c b/src/output-json-stats.c index 7a3a901329bd..7ad3b22ef39b 100644 --- a/src/output-json-stats.c +++ b/src/output-json-stats.c @@ -401,8 +401,9 @@ static OutputInitResult OutputStatsLogInitSub(ConfNode *conf, OutputCtx *parent_ if (stats_decoder_events && strcmp(stats_decoder_events_prefix, "decoder") == 0) { - SCLogWarning(SC_WARN_EVE_MISSING_EVENTS, "eve.stats will not display " - "all decoder events correctly. See #2225. Set a prefix in " + SCLogWarning(SC_WARN_EVE_MISSING_EVENTS, + "eve.stats will not display " + "all decoder events correctly. See ticket #2225. Set a prefix in " "stats.decoder-events-prefix."); } diff --git a/src/runmode-af-packet.c b/src/runmode-af-packet.c index f2500d3d3b0c..006e0a4cc065 100644 --- a/src/runmode-af-packet.c +++ b/src/runmode-af-packet.c @@ -738,7 +738,9 @@ int AFPRunModeIsIPS() } if (has_ids && has_ips) { - SCLogInfo("AF_PACKET mode using IPS and IDS mode"); + SCLogWarning(SC_ERR_INVALID_ARGUMENT, + "AF_PACKET using both IPS and TAP/IDS mode, this will not " + "be allowed in Suricata 8 due to undefined behavior. See ticket #5588."); for (ldev = 0; ldev < nlive; ldev++) { const char *live_dev = LiveGetDeviceName(ldev); if (live_dev == NULL) { diff --git a/src/runmode-netmap.c b/src/runmode-netmap.c index 5aa4128c88c4..a4f22b7c400b 100644 --- a/src/runmode-netmap.c +++ b/src/runmode-netmap.c @@ -373,7 +373,9 @@ int NetmapRunModeIsIPS() } if (has_ids && has_ips) { - SCLogInfo("Netmap mode using IPS and IDS mode"); + SCLogWarning(SC_ERR_INVALID_ARGUMENT, + "Netmap using both IPS and TAP/IDS mode, this will not be " + "allowed in Suricata 8 due to undefined behavior. See ticket #5588."); for (ldev = 0; ldev < nlive; ldev++) { const char *live_dev = LiveGetDeviceName(ldev); if (live_dev == NULL) { diff --git a/src/runmodes.c b/src/runmodes.c index 9278652abd43..a2fd99ab0ab1 100644 --- a/src/runmodes.c +++ b/src/runmodes.c @@ -797,18 +797,16 @@ void RunModeInitializeOutputs(void) } if (strcmp(output->val, "file-log") == 0) { - SCLogWarning(SC_ERR_NOT_SUPPORTED, - "file-log is no longer supported," - " use eve.files instead " - "(see https://redmine.openinfosecfoundation.org/issues/2376" - " for an explanation)"); + SCLogWarning(SC_ERR_NOT_SUPPORTED, "file-log is no longer supported," + " use eve.files instead " + "(see ticket #2376" + " for an explanation)"); continue; } else if (strncmp(output->val, "unified-", sizeof("unified-") - 1) == 0) { - SCLogWarning(SC_ERR_NOT_SUPPORTED, - "Unified1 is no longer supported," - " use Unified2 instead " - "(see https://redmine.openinfosecfoundation.org/issues/353" - " for an explanation)"); + SCLogWarning(SC_ERR_NOT_SUPPORTED, "Unified1 is no longer supported," + " use Unified2 instead " + "(see ticket #353" + " for an explanation)"); continue; } else if (strncmp(output->val, "unified2-", sizeof("unified2-") - 1) == 0) { SCLogWarning(SC_ERR_NOT_SUPPORTED, diff --git a/src/source-pfring.c b/src/source-pfring.c index acd3ab8ef894..bb30df619e5c 100644 --- a/src/source-pfring.c +++ b/src/source-pfring.c @@ -262,7 +262,7 @@ static inline void PfringProcessPacket(void *user, struct pfring_pkthdr *h, Pack if (!ptv->vlan_hdr_warned) { SCLogWarning(SC_ERR_PF_RING_VLAN, "no VLAN header in the raw " - "packet. See #2355."); + "packet. See ticket #2355."); ptv->vlan_hdr_warned = true; } } diff --git a/src/util-luajit.c b/src/util-luajit.c index 5ecaf9447e45..949cf618fe01 100644 --- a/src/util-luajit.c +++ b/src/util-luajit.c @@ -109,9 +109,9 @@ void LuajitFreeStatesPool(void) pthread_mutex_lock(&luajit_states_lock); if (luajit_states_cnt_max > luajit_states_size) { SCLogNotice("luajit states used %d is bigger than pool size %d. Set " - "luajit.states to %d to avoid memory issues. " - "See #1577 and #1955.", luajit_states_cnt_max, luajit_states_size, - luajit_states_cnt_max); + "luajit.states to %d to avoid memory issues. " + "See tickets #1577 and #1955.", + luajit_states_cnt_max, luajit_states_size, luajit_states_cnt_max); } PoolFree(luajit_states); luajit_states = NULL; @@ -128,9 +128,11 @@ lua_State *LuajitGetState(void) s = (lua_State *)PoolGet(luajit_states); if (s != NULL) { if (luajit_states_cnt == luajit_states_size) { - SCLogWarning(SC_WARN_LUA_SCRIPT, "luajit states pool size %d " + SCLogWarning(SC_WARN_LUA_SCRIPT, + "luajit states pool size %d " "reached. Increase luajit.states config option. " - "See #1577 and #1955", luajit_states_size); + "See tickets #1577 and #1955", + luajit_states_size); } luajit_states_cnt++;