diff options
| author | liuwentan <[email protected]> | 2023-10-11 12:02:18 +0800 |
|---|---|---|
| committer | liuwentan <[email protected]> | 2023-10-11 12:02:18 +0800 |
| commit | a11b5985f894d4dc09fe0d5eb7c12c6d3de262c0 (patch) | |
| tree | b6408d459007a8ed0109add3ee3251a5d627ce7e | |
| parent | a0039da8e6ea9eecd69918c056cb979bf564a47d (diff) | |
[BUGFIX]fix illegal clause index validate => TSG-17306v4.1.1
| -rw-r--r-- | src/maat_bool_plugin.c | 3 | ||||
| -rw-r--r-- | src/maat_compile.c | 42 | ||||
| -rw-r--r-- | src/maat_flag.c | 2 | ||||
| -rw-r--r-- | src/maat_fqdn_plugin.c | 14 | ||||
| -rw-r--r-- | src/maat_group.c | 7 | ||||
| -rw-r--r-- | src/maat_ip.c | 13 | ||||
| -rw-r--r-- | src/maat_ip_plugin.c | 39 | ||||
| -rw-r--r-- | test/maat_framework_gtest.cpp | 16 | ||||
| -rw-r--r-- | test/maat_json.json | 10 | ||||
| -rw-r--r-- | test/table_info.conf | 3 |
10 files changed, 86 insertions, 63 deletions
diff --git a/src/maat_bool_plugin.c b/src/maat_bool_plugin.c index 1fa1c56..d77d31c 100644 --- a/src/maat_bool_plugin.c +++ b/src/maat_bool_plugin.c @@ -304,7 +304,7 @@ bool_plugin_expr_new(struct bool_plugin_schema *schema, const char *table_name, size_t column_offset = 0; size_t column_len = 0; size_t n_item = 0; - char expr_buffer[BUFSIZ] = {0}; + char expr_buffer[BUFSIZ + 1] = {0}; unsigned long long items[MAX_ITEMS_PER_BOOL_EXPR] = {0}; char *token = NULL, *sub_token = NULL, *saveptr; struct bool_expr *bool_expr = ALLOC(struct bool_expr, 1); @@ -326,6 +326,7 @@ bool_plugin_expr_new(struct bool_plugin_schema *schema, const char *table_name, goto error; } + memset(expr_buffer, 0, sizeof(expr_buffer)); memcpy(expr_buffer, line + column_offset, column_len); for (token = expr_buffer; ; token = NULL) { sub_token = strtok_r(token, "&", &saveptr); diff --git a/src/maat_compile.c b/src/maat_compile.c index 8a0db83..513852f 100644 --- a/src/maat_compile.c +++ b/src/maat_compile.c @@ -28,7 +28,13 @@ #define MODULE_COMPILE module_name_str("maat.compile") #define DEFAULT_GC_TIMEOUT_S 10 -#define MAX_SUPER_GROUP_CNT 128 +#define MAX_SUPER_GROUP_CNT 128 +#define MAX_NOT_CLAUSE_NUM 8 + +enum clause_not_flag { + CLAUSE_NOT_FLAG_UNSET = 0, + CLAUSE_NOT_FLAG_SET +}; struct compile_schema { int compile_id_column; @@ -280,7 +286,16 @@ compile_item_new(const char *table_line, struct compile_schema *schema, __FUNCTION__, __LINE__, table_name, table_line); goto error; } + compile_item->declared_clause_num = atoi(table_line + column_offset); + if (compile_item->declared_clause_num < 0 || + compile_item->declared_clause_num > MAX_NOT_CLAUSE_NUM) { + log_error(logger, MODULE_COMPILE, + "[%s:%d] table: <%s> clause_num:%d exceed maximum:%d in line:%s", + __FUNCTION__, __LINE__, table_name, compile_item->declared_clause_num, + MAX_NOT_CLAUSE_NUM, table_line); + goto error; + } compile_item->ref_schema = schema; compile_item->ex_data = ALLOC(void *, 1); @@ -313,7 +328,7 @@ static void compile_item_free(struct compile_item *item) FREE(item->ex_data); } - item->declared_clause_num = -1; + item->declared_clause_num = 0; if (item->table_line != NULL) { FREE(item->table_line); @@ -744,7 +759,7 @@ group2compile_item_new(const char *line, struct group2compile_schema *g2c_schema { size_t column_offset = 0; size_t column_len = 0; - char vtable_name[MAX_NAME_STR_LEN] = {0}; + char vtable_name[MAX_NAME_STR_LEN + 1] = {0}; struct group2compile_item *g2c_item = ALLOC(struct group2compile_item, 1); int ret = get_column_pos(line, g2c_schema->group_id_column, &column_offset, @@ -775,7 +790,15 @@ group2compile_item_new(const char *line, struct group2compile_schema *g2c_schema __FUNCTION__, __LINE__, table_name, line); goto error; } + g2c_item->not_flag = atoi(line + column_offset); + if (g2c_item->not_flag != CLAUSE_NOT_FLAG_SET && + g2c_item->not_flag != CLAUSE_NOT_FLAG_UNSET) { + log_error(logger, MODULE_COMPILE, + "[%s:%d] g2c table:<%s> NOT_flag:%d is illegal in line:%s ", + __FUNCTION__, __LINE__, table_name, g2c_item->not_flag, line); + goto error; + } ret = get_column_pos(line, g2c_schema->vtable_name_column, &column_offset, &column_len); @@ -794,6 +817,7 @@ group2compile_item_new(const char *line, struct group2compile_schema *g2c_schema goto error; } + memset(vtable_name, 0, sizeof(vtable_name)); memcpy(vtable_name, (line + column_offset), column_len); if (is_valid_table_name(vtable_name)) { @@ -817,6 +841,13 @@ group2compile_item_new(const char *line, struct group2compile_schema *g2c_schema } g2c_item->clause_index = atoi(line + column_offset); + if (g2c_item->clause_index < 0 || g2c_item->clause_index >= MAX_NOT_CLAUSE_NUM) { + log_error(logger, MODULE_COMPILE, + "[%s:%d] g2c table:<%s> clause_index:%d exceed maximum:%d in line:%s", + __FUNCTION__, __LINE__, table_name, g2c_item->clause_index, + MAX_NOT_CLAUSE_NUM, line); + goto error; + } return g2c_item; error: @@ -1038,11 +1069,11 @@ maat_compile_build_literal2clause_hash(struct compile_runtime *compile_rt, int n } if (0 == not_flag) { - if (1 == clause->not_flag) { + if (CLAUSE_NOT_FLAG_SET == clause->not_flag) { continue; } } else { - if (0 == clause->not_flag) { + if (CLAUSE_NOT_FLAG_UNSET == clause->not_flag) { continue; } } @@ -1920,7 +1951,6 @@ int compile_runtime_update(void *compile_runtime, void *compile_schema, return 0; } -#define MAX_NOT_CLAUSE_NUM 8 int validate_vtable_not_clause(struct group2compile_runtime *g2c_rt, struct table_manager *tbl_mgr, int vtable_id, int is_valid, struct log_handle *logger) diff --git a/src/maat_flag.c b/src/maat_flag.c index 4125f2f..ab3259d 100644 --- a/src/maat_flag.c +++ b/src/maat_flag.c @@ -360,7 +360,7 @@ flag_item_new(struct flag_schema *schema, const char *table_name, item->flag = strtoull(line + column_offset, NULL, 0); - ret = get_column_pos(line, schema->flag_mask_column, &column_offset, &column_len); + ret = get_column_pos(line, schema->flag_mask_column, &column_offset, &column_len); if (ret < 0) { log_error(flag_rt->logger, MODULE_FLAG, "[%s:%d] flag table:<%s> has no flag_mask in line:%s", diff --git a/src/maat_fqdn_plugin.c b/src/maat_fqdn_plugin.c index 58409b0..256856e 100644 --- a/src/maat_fqdn_plugin.c +++ b/src/maat_fqdn_plugin.c @@ -21,7 +21,7 @@ struct fqdn_plugin_schema { int item_id_column; - int suffix_flag_column; + int suffix_match_method_column; int fqdn_column; int rule_tag_column; int gc_timeout_s; @@ -78,7 +78,7 @@ void *fqdn_plugin_schema_new(cJSON *json, struct table_manager *tbl_mgr, custom_item = cJSON_GetObjectItem(item, "suffix_match_method"); if (custom_item != NULL && custom_item->type == cJSON_Number) { - schema->suffix_flag_column = custom_item->valueint; + schema->suffix_match_method_column = custom_item->valueint; } else { log_error(logger, MODULE_FQDN_PLUGIN, "[%s:%d] fqdn_plugin table:<%s> schema has no suffix_match_method column", @@ -286,14 +286,22 @@ fqdn_plugin_rule_new(const char *line, struct fqdn_plugin_schema *schema, } fqdn_plugin_rule->id = atoi(line + column_offset); - ret = get_column_pos(line, schema->suffix_flag_column, &column_offset, &column_len); + ret = get_column_pos(line, schema->suffix_match_method_column, &column_offset, &column_len); if (ret < 0) { log_error(logger, MODULE_FQDN_PLUGIN, "[%s:%d] fqdn_plugin table:<%s> has no suffix_match_method in line:%s", __FUNCTION__, __LINE__, table_name, line); goto error; } + fqdn_plugin_rule->is_suffix_match = atoi(line + column_offset); + if (fqdn_plugin_rule->is_suffix_match != 0 && + fqdn_plugin_rule->is_suffix_match != 1) { + log_error(logger, MODULE_FQDN_PLUGIN, + "[%s:%d] fqdn_plugin table:<%s> suffix_match_method:%d is illegal in line:%s", + __FUNCTION__, __LINE__, table_name, fqdn_plugin_rule->is_suffix_match, line); + goto error; + } ret = get_column_pos(line, schema->fqdn_column, &column_offset, &column_len); if (ret < 0) { diff --git a/src/maat_group.c b/src/maat_group.c index 9603374..df4a245 100644 --- a/src/maat_group.c +++ b/src/maat_group.c @@ -356,6 +356,13 @@ group2group_item_new(const char *line, struct group2group_schema *g2g_schema, } g2g_item->is_exclude = atoi(line + column_offset); + if (g2g_item->is_exclude != 0 && g2g_item->is_exclude != 1) { + log_error(logger, MODULE_GROUP, + "[%s:%d] g2g table:<%s> is_exclude:%d is illegal in line:%s", + __FUNCTION__, __LINE__, table_name, g2g_item->is_exclude, line); + goto error; + } + return g2g_item; error: FREE(g2g_item); diff --git a/src/maat_ip.c b/src/maat_ip.c index 5657071..29ecbe1 100644 --- a/src/maat_ip.c +++ b/src/maat_ip.c @@ -24,6 +24,11 @@ #define MODULE_IP module_name_str("maat.ip") +#define IP_PROTO_ANY -1 +#define IP_PROTO_ICMP 1 +#define IP_PROTO_TCP 6 +#define IP_PROTO_UDP 17 + struct ip_schema { int item_id_column; int group_id_column; @@ -373,6 +378,14 @@ ip_item_new(struct ip_schema *ip_schema, const char *table_name, } ip_item->proto = atoi(line + column_offset); + if (ip_item->proto != IP_PROTO_ANY && ip_item->proto != IP_PROTO_ICMP && + ip_item->proto != IP_PROTO_TCP && ip_item->proto != IP_PROTO_UDP) { + log_error(logger, MODULE_IP, + "[%s:%d] ip table:<%s> protocol:%d is illegal in line:%s", + __FUNCTION__, __LINE__, table_name, ip_item->proto, line); + goto error; + } + return ip_item; error: FREE(ip_item); diff --git a/src/maat_ip_plugin.c b/src/maat_ip_plugin.c index e84e921..69acaa9 100644 --- a/src/maat_ip_plugin.c +++ b/src/maat_ip_plugin.c @@ -26,7 +26,6 @@ struct ip_plugin_schema { int ip_type_column; int start_ip_column; int end_ip_column; - int addr_format_column; int rule_tag_column; int gc_timeout_s; int table_id; //ugly @@ -110,18 +109,6 @@ void *ip_plugin_schema_new(cJSON *json, struct table_manager *tbl_mgr, goto error; } - custom_item = cJSON_GetObjectItem(item, "addr_format"); - if (custom_item != NULL && custom_item->type == cJSON_Number) { - schema->addr_format_column = custom_item->valueint; - } - //TODO: just because test table has no addr_format - // else { - // log_error(logger, MODULE_IP_PLUGIN, - // "[%s:%d] table: <%s> schema has no addr_format column", - // __FUNCTION__, __LINE__, table_name); - // goto error; - // } - // rule_tag is optional custom_item = cJSON_GetObjectItem(item, "rule_tag"); if (custom_item != NULL && custom_item->type == cJSON_Number) { @@ -204,7 +191,6 @@ ip_plugin_rule_new(struct ip_plugin_schema *schema, const char *table_name, size_t column_offset = 0; size_t column_len = 0; - char addr_format[16] = {0}; char start_ip_str[40] = {0}; char end_ip_str[40] = {0}; struct ip_rule *ip_plugin_rule = ALLOC(struct ip_rule, 1); @@ -233,27 +219,6 @@ ip_plugin_rule_new(struct ip_plugin_schema *schema, const char *table_name, goto error; } - //TODO: to be added again, - #if 0 - ret = get_column_pos(line, schema->addr_format_column, &column_offset, &column_len); - if (ret < 0) { - log_error(logger, MODULE_IP_PLUGIN, - "[%s:%d] ip_plugin table(table_id:%d) line:%s has no addr_format column", - __FUNCTION__, __LINE__, schema->table_id, line); - goto error; - } - - memcpy(addr_format, (line + column_offset), column_len); - if (IP_FORMAT_UNKNOWN == ip_format_str2int(addr_format)) { - log_error(logger, MODULE_IP_PLUGIN, - "[%s:%d] ip_plugin table(table_id:%d) line:%s has invalid addr_format, should be range/CIDR", - __FUNCTION__, __LINE__, schema->table_id, line); - goto error; - } - #endif - const char *tmp_str = "range"; - memcpy(addr_format, tmp_str, strlen(tmp_str)); - ret = get_column_pos(line, schema->start_ip_column, &column_offset, &column_len); if (ret < 0) { log_error(logger, MODULE_IP_PLUGIN, @@ -273,7 +238,7 @@ ip_plugin_rule_new(struct ip_plugin_schema *schema, const char *table_name, strncpy(end_ip_str, line + column_offset, column_len); if (IPv4 == ip_plugin_rule->type) { - ret = ip_format2range(ip_plugin_rule->type, ip_format_str2int(addr_format), + ret = ip_format2range(ip_plugin_rule->type, IP_FORMAT_RANGE, start_ip_str, end_ip_str, &ip_plugin_rule->ipv4_rule.start_ip, &ip_plugin_rule->ipv4_rule.end_ip); @@ -285,7 +250,7 @@ ip_plugin_rule_new(struct ip_plugin_schema *schema, const char *table_name, } } else { //ipv6 - ret = ip_format2range(ip_plugin_rule->type, ip_format_str2int(addr_format), + ret = ip_format2range(ip_plugin_rule->type, IP_FORMAT_RANGE, start_ip_str, end_ip_str, ip_plugin_rule->ipv6_rule.start_ip, ip_plugin_rule->ipv6_rule.end_ip); diff --git a/test/maat_framework_gtest.cpp b/test/maat_framework_gtest.cpp index 52ec4e3..8e2d153 100644 --- a/test/maat_framework_gtest.cpp +++ b/test/maat_framework_gtest.cpp @@ -6367,15 +6367,15 @@ TEST_F(MaatCmdTest, UpdateIPPlugin) { struct maat *maat_inst = MaatCmdTest::_shared_maat_inst; int *ex_data_counter = MaatCmdTest::_ex_data_counter; const char *table_line_add[TEST_CMD_LINE_NUM] = { - "101\t4\t192.168.30.99\t192.168.30.101\tSomething-like-json\t1\trange", - "102\t4\t192.168.30.90\t192.168.30.128\tBigger-range-should-in-the-back\t1\trange", - "103\t6\t2001:db8:1234::\t2001:db8:1235::\tBigger-range-should-in-the-back\t1\trange", - "104\t6\t2001:db8:1234::1\t2001:db8:1234::5210\tSomething-like-json\t1\trange"}; + "101\t4\t192.168.30.99\t192.168.30.101\tSomething-like-json\t1", + "102\t4\t192.168.30.90\t192.168.30.128\tBigger-range-should-in-the-back\t1", + "103\t6\t2001:db8:1234::\t2001:db8:1235::\tBigger-range-should-in-the-back\t1", + "104\t6\t2001:db8:1234::1\t2001:db8:1234::5210\tSomething-like-json\t1"}; const char *table_line_del[TEST_CMD_LINE_NUM] = { - "101\t4\t192.168.30.99\t192.168.30.101\tSomething-like-json\t0\trange", - "102\t4\t192.168.30.90\t192.168.30.128\tBigger-range-should-in-the-back\t0\trange", - "103\t6\t2001:db8:1234::\t2001:db8:1235::\tBigger-range-should-in-the-back\t0\trange", - "104\t6\t2001:db8:1234::1\t2001:db8:1234::5210\tSomething-like-json\t0\trange"}; + "101\t4\t192.168.30.99\t192.168.30.101\tSomething-like-json\t0", + "102\t4\t192.168.30.90\t192.168.30.128\tBigger-range-should-in-the-back\t0", + "103\t6\t2001:db8:1234::\t2001:db8:1235::\tBigger-range-should-in-the-back\t0", + "104\t6\t2001:db8:1234::1\t2001:db8:1234::5210\tSomething-like-json\t0"}; int table_id = maat_get_table_id(maat_inst, table_name); ASSERT_GT(table_id, 0); diff --git a/test/maat_json.json b/test/maat_json.json index 1beb1db..a42edab 100644 --- a/test/maat_json.json +++ b/test/maat_json.json @@ -3494,11 +3494,11 @@ { "table_name": "TEST_IP_PLUGIN_WITH_EXDATA", "table_content": [ - "101\t4\t192.168.30.99\t192.168.30.101\tSomething-like-json\t1\trange", - "102\t4\t192.168.30.90\t192.168.30.128\tBigger-range-should-in-the-back\t1\trange", - "103\t6\t2001:db8:1234::\t2001:db8:1235::\tBigger-range-should-in-the-back\t1\trange", - "104\t6\t2001:db8:1234::1\t2001:db8:1234::5210\tSomething-like-json\t1\trange", - "105\t6\t2620:100:3000::\t2620:0100:30ff:ffff:ffff:ffff:ffff:ffff\tBugreport-liumengyan-20210517\t1\trange" + "101\t4\t192.168.30.99\t192.168.30.101\tSomething-like-json\t1", + "102\t4\t192.168.30.90\t192.168.30.128\tBigger-range-should-in-the-back\t1", + "103\t6\t2001:db8:1234::\t2001:db8:1235::\tBigger-range-should-in-the-back\t1", + "104\t6\t2001:db8:1234::1\t2001:db8:1234::5210\tSomething-like-json\t1", + "105\t6\t2620:100:3000::\t2620:0100:30ff:ffff:ffff:ffff:ffff:ffff\tBugreport-liumengyan-20210517\t1" ] }, { diff --git a/test/table_info.conf b/test/table_info.conf index 710b81f..e2f82fa 100644 --- a/test/table_info.conf +++ b/test/table_info.conf @@ -306,8 +306,7 @@ "item_id":1, "ip_type":2, "start_ip":3, - "end_ip":4, - "addr_format":7 + "end_ip":4 } }, { |