Codeql 5307 v6

.github/workflows/codeql.yml

@@ -0,0 +1,55 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '18 21 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    permissions:
+      actions: read
+      contents: read
+      packages: write
+      security-events: write
+
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+
+    - run: |
+       sudo apt-get update
+       sudo apt-get install libyaml-dev
+       sudo apt-get install libssl-dev
+       sudo apt-get install libpcre2-dev
+       sudo apt-get install libjansson-dev
+       sudo apt-get install libpcap-dev
+       sudo apt-get install libnuma-dev
+       git clone --depth 1 https://github.com/OISF/libhtp.git
+       cargo install cbindgen
+       export PATH=/opt/work/.cargo/bin:$PATH
+        chmod +x autogen.sh
+       ./autogen.sh
+       ./configure
+       make
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.lgtm.yml

@@ -3,7 +3,18 @@ extraction:
     prepare:
       packages:
         - cargo
+        - libssl-dev
+        - rustc
+        - libpcre2-dev
+        - libyaml-dev
+        - libjansson-dev
+        - libnuma-dev
+        - libpcap-dev
     after_prepare:
       - git clone --depth 1 https://github.com/OISF/libhtp.git
       - cargo install cbindgen
       - export PATH=/opt/work/.cargo/bin:$PATH
+      - chmod +x autogen.sh
+      - ./autogen.sh
+      - ./configure
+      - make

rust/Makefile.am

@@ -81,9 +81,8 @@ vendor:
 
 if HAVE_CBINDGEN
 gen/rust-bindings.h: $(RUST_SURICATA_LIB)
-	rm -f gen/rust-bindings.h
 	cbindgen --config $(abs_top_srcdir)/rust/cbindgen.toml \
-		--quiet --output $(abs_top_builddir)/rust/gen/rust-bindings.h
+		--quiet --verify --output $(abs_top_builddir)/rust/gen/rust-bindings.h || true
 else
 gen/rust-bindings.h:
 endif

rust/src/common.rs

@@ -1,3 +1,5 @@
+use super::build_slice;
+use crate::jsonbuilder::HEX;
 use std::ffi::CString;
 use std::os::raw::c_char;
 
@@ -12,9 +14,9 @@ pub mod nom7 {
     /// `take_until` does not consume the matched tag, and
     /// `take_until_and_consume` was removed in nom 7. This function
     /// provides an implementation (specialized for `&[u8]`).
-    pub fn take_until_and_consume<'a, E: ParseError<&'a [u8]>>(t: &'a [u8])
-         -> impl Fn(&'a [u8]) -> IResult<&'a [u8], &'a [u8], E>
-    {
+    pub fn take_until_and_consume<'a, E: ParseError<&'a [u8]>>(
+        t: &'a [u8],
+    ) -> impl Fn(&'a [u8]) -> IResult<&'a [u8], &'a [u8], E> {
         move |i: &'a [u8]| {
             let (i, res) = take_until(t)(i)?;
             let (i, _) = tag(t)(i)?;
@@ -115,9 +117,50 @@ pub unsafe extern "C" fn rs_cstring_free(s: *mut c_char) {
 
 /// Convert an u8-array of data into a hexadecimal representation
 pub fn to_hex(input: &[u8]) -> String {
-    static CHARS: &'static [u8] = b"0123456789abcdef";
+    return input
+        .iter()
+        .map(|b| {
+            vec![
+                char::from(HEX[(b >> 4) as usize]),
+                char::from(HEX[(b & 0xf) as usize]),
+            ]
+        })
+        .flatten()
+        .collect();
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn rs_to_hex(
+    output: *mut u8, out_len: usize, input: *const u8, in_len: usize,
+) {
+    if out_len < 2 * in_len + 1 {
+        return;
+    }
+    let islice = build_slice!(input, in_len);
+    let oslice = std::slice::from_raw_parts_mut(output, 2 * in_len + 1);
+    // only used from C
+    for i in 0..islice.len() {
+        oslice[2 * i] = HEX[(islice[i] >> 4) as usize];
+        oslice[2 * i + 1] = HEX[(islice[i] & 0xf) as usize];
+    }
+    oslice[2 * islice.len()] = 0;
+}
 
-    return input.iter().map(
-        |b| vec![char::from(CHARS[(b >>  4) as usize]), char::from(CHARS[(b & 0xf) as usize])]
-    ).flatten().collect();
+#[no_mangle]
+pub unsafe extern "C" fn rs_to_hex_sep(
+    output: *mut u8, out_len: usize, sep: u8, input: *const u8, in_len: usize,
+) {
+    if out_len < 3 * in_len {
+        return;
+    }
+    let islice = build_slice!(input, in_len);
+    let oslice = std::slice::from_raw_parts_mut(output, 3 * in_len);
+    // only used from C
+    for i in 0..islice.len() {
+        oslice[3 * i] = HEX[(islice[i] >> 4) as usize];
+        oslice[3 * i + 1] = HEX[(islice[i] & 0xf) as usize];
+        oslice[3 * i + 2] = sep;
+    }
+    // overwrites last separator with final null char
+    oslice[3 * islice.len() - 1] = 0;
 }

rust/src/jsonbuilder.rs

@@ -474,6 +474,32 @@ impl JsonBuilder {
         Ok(self)
     }
 
+    /// Set a key and a string field as the hex encoded string of the value.
+    pub fn set_hex(&mut self, key: &str, val: &[u8]) -> Result<&mut Self, JsonError> {
+        match self.current_state() {
+            State::ObjectNth => {
+                self.buf.push(',');
+            }
+            State::ObjectFirst => {
+                self.set_state(State::ObjectNth);
+            }
+            _ => {
+                debug_validate_fail!("invalid state");
+                return Err(JsonError::InvalidState);
+            }
+        }
+        self.buf.push('"');
+        self.buf.push_str(key);
+        self.buf.push_str("\":\"");
+        for i in 0..val.len() {
+            self.buf.push(HEX[(val[i] >>  4) as usize] as char);
+            self.buf.push(HEX[(val[i] & 0xf) as usize] as char);
+        }
+        self.buf.push('"');
+
+        Ok(self)
+    }
+
     /// Set a key and an unsigned integer type on an object.
     pub fn set_uint(&mut self, key: &str, val: u64) -> Result<&mut Self, JsonError> {
         match self.current_state() {
@@ -716,6 +742,20 @@ pub unsafe extern "C" fn jb_set_base64(
     return false;
 }
 
+#[no_mangle]
+pub unsafe extern "C" fn jb_set_hex(
+    js: &mut JsonBuilder, key: *const c_char, bytes: *const u8, len: u32,
+) -> bool {
+    if bytes == std::ptr::null() || len == 0 {
+        return false;
+    }
+    if let Ok(key) = CStr::from_ptr(key).to_str() {
+        let val = std::slice::from_raw_parts(bytes, len as usize);
+        return js.set_hex(key, val).is_ok();
+    }
+    return false;
+}
+
 #[no_mangle]
 pub unsafe extern "C" fn jb_set_formatted(js: &mut JsonBuilder, formatted: *const c_char) -> bool {
     if let Ok(formatted) = CStr::from_ptr(formatted).to_str() {
@@ -1160,6 +1200,6 @@ static ESCAPED: [u8; 256] = [
     __, __, __, __, __, __, __, __, __, __, __, __, __, __, __, __, // F
 ];
 
-static HEX: [u8; 16] = [
+pub static HEX: [u8; 16] = [
     b'0', b'1', b'2', b'3', b'4', b'5', b'6', b'7', b'8', b'9', b'a', b'b', b'c', b'd', b'e', b'f',
 ];

src/Makefile.am

@@ -1267,7 +1267,7 @@ suricata_SOURCES = main.c
 # the library search path.
 suricata_LDFLAGS = $(all_libraries) ${SECLDFLAGS}
 suricata_LDADD = libsuricata_c.a $(RUST_SURICATA_LIB) $(HTP_LDADD) $(RUST_LDADD)
-suricata_DEPENDENCIES = libsuricata_c.a
+suricata_DEPENDENCIES = libsuricata_c.a $(RUST_SURICATA_LIB)
 
 if BUILD_SHARED_LIBRARY
 libsuricata.so.$(VERSION): libsuricata_c.a

src/app-layer-ssl.c

@@ -466,11 +466,8 @@ static inline int TlsDecodeHSCertificateFingerprint(SSLState *ssl_state,
 
     uint8_t hash[SC_SHA1_LEN];
     if (SCSha1HashBuffer(input, cert_len, hash, sizeof(hash)) == 1) {
-        for (int i = 0, x = 0; x < SC_SHA1_LEN; x++) {
-            i += snprintf(ssl_state->server_connp.cert0_fingerprint + i,
-                    SHA1_STRING_LENGTH - i, i == 0 ? "%02x" : ":%02x",
-                    hash[x]);
-        }
+        rs_to_hex_sep((uint8_t *)ssl_state->server_connp.cert0_fingerprint, SHA1_STRING_LENGTH, ':',
+                hash, SC_SHA1_LEN);
     }
     return 0;
 }

src/datasets.c

@@ -766,12 +766,8 @@ static int SaveCallback(void *ctx, const uint8_t *data, const uint32_t data_len)
 static int Md5AsAscii(const void *s, char *out, size_t out_size)
 {
     const Md5Type *md5 = s;
-    uint32_t x;
-    int i;
     char str[256];
-    for (i = 0, x = 0; x < sizeof(md5->md5); x++) {
-        i += snprintf(&str[i], 255-i, "%02x", md5->md5[x]);
-    }
+    PrintHexString(str, sizeof(str), (uint8_t *)md5->md5, sizeof(md5->md5));
     strlcat(out, str, out_size);
     strlcat(out, "\n", out_size);
     return strlen(out);
@@ -780,12 +776,8 @@ static int Md5AsAscii(const void *s, char *out, size_t out_size)
 static int Sha256AsAscii(const void *s, char *out, size_t out_size)
 {
     const Sha256Type *sha = s;
-    uint32_t x;
-    int i;
     char str[256];
-    for (i = 0, x = 0; x < sizeof(sha->sha256); x++) {
-        i += snprintf(&str[i], 255-i, "%02x", sha->sha256[x]);
-    }
+    PrintHexString(str, sizeof(str), (uint8_t *)sha->sha256, sizeof(sha->sha256));
     strlcat(out, str, out_size);
     strlcat(out, "\n", out_size);
     return strlen(out);

src/detect-content.c

@@ -99,7 +99,7 @@ int DetectContentDataParse(const char *keyword, const char *contentstr,
     char converted = 0;
 
     {
-        uint16_t i, x;
+        size_t i, x;
         uint8_t bin = 0;
         uint8_t escape = 0;
         uint8_t binstr[3] = "";

src/detect-detection-filter.c

@@ -103,7 +103,7 @@ static DetectThresholdData *DetectDetectionFilterParse (const char *rawstr)
     char *copy_str = NULL, *df_opt = NULL;
     int seconds_found = 0, count_found = 0, track_found = 0;
     int seconds_pos = 0, count_pos = 0;
-    uint16_t pos = 0;
+    size_t pos = 0;
     int i = 0;
     char *saveptr = NULL;
 

src/detect-engine-prefilter.c

@@ -599,9 +599,8 @@ static uint32_t PrefilterStoreHashFunc(HashListTable *ht, void *data, uint16_t d
     PrefilterStore *ctx = data;
 
     uint32_t hash = strlen(ctx->name);
-    uint16_t u;
 
-    for (u = 0; u < strlen(ctx->name); u++) {
+    for (size_t u = 0; u < strlen(ctx->name); u++) {
         hash += ctx->name[u];
     }
 

src/detect-msg.c

@@ -65,7 +65,7 @@ static int DetectMsgSetup (DetectEngineCtx *de_ctx, Signature *s, const char *ms
     char converted = 0;
 
     {
-        uint16_t i, x;
+        size_t i, x;
         uint8_t escape = 0;
 
         /* it doesn't matter if we need to escape or not we remove the extra "\" to mimic snort */
@@ -194,4 +194,4 @@ void DetectMsgRegisterTests(void)
     UtRegisterTest("DetectMsgParseTest02", DetectMsgParseTest02);
     UtRegisterTest("DetectMsgParseTest03", DetectMsgParseTest03);
 }
-#endif /* UNITTESTS */
+#endif /* UNITTESTS */

src/detect-threshold.c

@@ -118,7 +118,7 @@ static DetectThresholdData *DetectThresholdParse(const char *rawstr)
     int second_found = 0, count_found = 0;
     int type_found = 0, track_found = 0;
     int second_pos = 0, count_pos = 0;
-    uint16_t pos = 0;
+    size_t pos = 0;
     int i = 0;
 
     copy_str = SCStrdup(rawstr);

src/output-filestore.c

@@ -88,15 +88,6 @@ static uint32_t FileGetMaxOpenFiles(void)
     return g_file_store_max_open_files;
 }
 
-static void PrintHexString(char *str, size_t size, uint8_t *buf, size_t buf_len)
-{
-    int i = 0;
-    size_t x = 0;
-    for (i = 0, x = 0; x < buf_len; x++) {
-        i += snprintf(&str[i], size - i, "%02x", buf[x]);
-    }
-}
-
 /**
  * \brief Update the timestamps on a file to match those of another
  *     file.

src/output-json-email-common.c

@@ -138,13 +138,7 @@ static void EveEmailLogJSONMd5(OutputJsonEmailCtx *email_ctx, JsonBuilder *js, S
     if (email_ctx->flags & LOG_EMAIL_BODY_MD5) {
         MimeDecParseState *mime_state = tx->mime_state;
         if (mime_state && mime_state->has_md5 && (mime_state->state_flag == PARSE_DONE)) {
-            size_t x;
-            int i;
-            char s[256];
-            for (i = 0, x = 0; x < sizeof(mime_state->md5); x++) {
-                i += snprintf(s + i, 255 - i, "%02x", mime_state->md5[x]);
-            }
-            jb_set_string(js, "body_md5", s);
+            jb_set_hex(js, "body_md5", mime_state->md5, (uint32_t)sizeof(mime_state->md5));
         }
     }
 }

src/output-json.c

@@ -143,22 +143,10 @@ void EveFileInfo(JsonBuilder *jb, const File *ff, const bool stored)
         case FILE_STATE_CLOSED:
             JB_SET_STRING(jb, "state", "CLOSED");
             if (ff->flags & FILE_MD5) {
-                size_t x;
-                int i;
-                char str[256];
-                for (i = 0, x = 0; x < sizeof(ff->md5); x++) {
-                    i += snprintf(&str[i], 255-i, "%02x", ff->md5[x]);
-                }
-                jb_set_string(jb, "md5", str);
+                jb_set_hex(jb, "md5", (uint8_t *)ff->md5, (uint32_t)sizeof(ff->md5));
             }
             if (ff->flags & FILE_SHA1) {
-                size_t x;
-                int i;
-                char str[256];
-                for (i = 0, x = 0; x < sizeof(ff->sha1); x++) {
-                    i += snprintf(&str[i], 255-i, "%02x", ff->sha1[x]);
-                }
-                jb_set_string(jb, "sha1", str);
+                jb_set_hex(jb, "sha1", (uint8_t *)ff->sha1, (uint32_t)sizeof(ff->sha1));
             }
             break;
         case FILE_STATE_TRUNCATED:
@@ -173,13 +161,7 @@ void EveFileInfo(JsonBuilder *jb, const File *ff, const bool stored)
     }
 
     if (ff->flags & FILE_SHA256) {
-        size_t x;
-        int i;
-        char str[256];
-        for (i = 0, x = 0; x < sizeof(ff->sha256); x++) {
-            i += snprintf(&str[i], 255-i, "%02x", ff->sha256[x]);
-        }
-        jb_set_string(jb, "sha256", str);
+        jb_set_hex(jb, "sha256", (uint8_t *)ff->sha256, (uint32_t)sizeof(ff->sha256));
     }
 
     if (stored) {