Merge pull request #1493 from jan-cerny/recurse_seg

Prevent crashes when complicated regexes are executed

Author: evgenyz

docs/developer/developer.adoc

@@ -317,6 +317,8 @@ behaviour.
 
 * *OSCAP_FULL_VALIDATION=1* - validate all exported documents (slower)
 * *SEXP_VALIDATE_DISABLE=1* - do not validate SEXP expressions (faster)
+* *OSCAP_PCRE_EXEC_RECURSION_LIMIT* - override default recursion limit
+  for match in pcre_exec call in textfilecontent(54) probes.
 
 
 

src/OVAL/probes/independent/textfilecontent54_probe.c

@@ -52,68 +52,11 @@
 #include <probe/option.h>
 #include <oval_fts.h>
 #include "common/debug_priv.h"
+#include "common/util.h"
 #include "textfilecontent54_probe.h"
 
 #define FILE_SEPARATOR '/'
 
-static int get_substrings(char *str, int *ofs, pcre *re, int want_substrs, char ***substrings) {
-	int i, ret, rc;
-	int ovector[60], ovector_len = sizeof (ovector) / sizeof (ovector[0]);
-	char **substrs;
-
-	// todo: max match count check
-
-	for (i = 0; i < ovector_len; ++i)
-		ovector[i] = -1;
-
-#if defined(OS_SOLARIS)
-	rc = pcre_exec(re, NULL, str, strlen(str), *ofs, PCRE_NO_UTF8_CHECK, ovector, ovector_len);
-#else
-	rc = pcre_exec(re, NULL, str, strlen(str), *ofs, 0, ovector, ovector_len);
-#endif
-
-	if (rc < -1) {
-		dE("Function pcre_exec() failed to match a regular expression with return code %d on string '%s'.", rc, str);
-		return rc;
-	} else if (rc == -1) {
-		/* no match */
-		return 0;
-	}
-
-	*ofs = (*ofs == ovector[1]) ? ovector[1] + 1 : ovector[1];
-
-	if (!want_substrs) {
-		/* just report successful match */
-		return 1;
-	}
-
-	ret = 0;
-	if (rc == 0) {
-		/* vector too small */
-		// todo: report partial results
-		rc = ovector_len / 3;
-	}
-
-	substrs = malloc(rc * sizeof (char *));
-	for (i = 0; i < rc; ++i) {
-		int len;
-		char *buf;
-
-		if (ovector[2 * i] == -1)
-			continue;
-		len = ovector[2 * i + 1] - ovector[2 * i];
-		buf = malloc(len + 1);
-		memcpy(buf, str + ovector[2 * i], len);
-		buf[len] = '\0';
-		substrs[ret] = buf;
-		++ret;
-	}
-
-	*substrings = substrs;
-
-	return ret;
-}
-
 static SEXP_t *create_item(const char *path, const char *filename, char *pattern,
 			   int instance, char **substrs, int substr_cnt, oval_schema_version_t over)
 {
@@ -260,7 +203,7 @@ static int process_file(const char *prefix, const char *path, const char *file,
 			want_instance = 0;
 
 		SEXP_free(next_inst);
-		substr_cnt = get_substrings(buf, &ofs, pfd->compiled_regex, want_instance, &substrs);
+		substr_cnt = oscap_get_substrings(buf, &ofs, pfd->compiled_regex, want_instance, &substrs);
 
 		if (substr_cnt < 0) {
 			SEXP_t *msg;

src/OVAL/probes/independent/textfilecontent_probe.c

@@ -71,63 +71,11 @@
 #include <probe/option.h>
 #include <oval_fts.h>
 #include "common/debug_priv.h"
+#include "common/util.h"
 #include "textfilecontent_probe.h"
 
 #define FILE_SEPARATOR '/'
 
-static int get_substrings(char *str, pcre *re, int want_substrs, char ***substrings) {
-	int i, ret, rc;
-	int ovector[60], ovector_len = sizeof (ovector) / sizeof (ovector[0]);
-
-	// todo: max match count check
-
-	for (i = 0; i < ovector_len; ++i)
-		ovector[i] = -1;
-
-	rc = pcre_exec(re, NULL, str, strlen(str), 0, 0,
-		       ovector, ovector_len);
-
-	if (rc < -1) {
-		return -1;
-	} else if (rc == -1) {
-		/* no match */
-		return 0;
-	} else if(!want_substrs) {
-		/* just report successful match */
-		return 1;
-	}
-
-	char **substrs;
-
-	ret = 0;
-	if (rc == 0) {
-		/* vector too small */
-		rc = ovector_len / 3;
-	}
-
-	substrs = malloc(rc * sizeof (char *));
-	for (i = 0; i < rc; ++i) {
-		int len;
-		char *buf;
-
-		if (ovector[2 * i] == -1)
-			continue;
-		len = ovector[2 * i + 1] - ovector[2 * i];
-		buf = malloc(len + 1);
-		memcpy(buf, str + ovector[2 * i], len);
-		buf[len] = '\0';
-		substrs[ret] = buf;
-		++ret;
-	}
-	/*
-	  if (ret < rc)
-	  substrs = realloc(substrs, ret * sizeof (char *));
-	*/
-	*substrings = substrs;
-
-	return ret;
-}
-
 static SEXP_t *create_item(const char *path, const char *filename, char *pattern,
 			   int instance, char **substrs, int substr_cnt, oval_schema_version_t over)
 {
@@ -244,9 +192,10 @@ static int process_file(const char *prefix, const char *path, const char *filena
 
 	int cur_inst = 0;
 	char line[4096];
+	int ofs = 0;
 
 	while (fgets(line, sizeof(line), fp) != NULL) {
-		substr_cnt = get_substrings(line, re, 1, &substrs);
+		substr_cnt = oscap_get_substrings(line, &ofs, re, 1, &substrs);
 		if (substr_cnt > 0) {
 			int k;
 			SEXP_t *item;

src/common/util.c

@@ -30,11 +30,13 @@
 #include <limits.h>
 #include <stdarg.h>
 #include <math.h>
+#include <pcre.h>
 
 #include "util.h"
 #include "_error.h"
 #include "oscap.h"
 #include "oscap_helpers.h"
+#include "debug_priv.h"
 
 #ifdef OS_WINDOWS
 #include <stdlib.h>
@@ -45,6 +47,7 @@
 #endif
 
 #define PATH_SEPARATOR '/'
+#define OSCAP_PCRE_EXEC_RECURSION_LIMIT_DEFAULT 5000
 
 int oscap_string_to_enum(const struct oscap_string_map *map, const char *str)
 {
@@ -353,6 +356,76 @@ char *oscap_path_join(const char *path1, const char *path2)
 	return joined_path;
 }
 
+int oscap_get_substrings(char *str, int *ofs, pcre *re, int want_substrs, char ***substrings) {
+	int i, ret, rc;
+	int ovector[60], ovector_len = sizeof (ovector) / sizeof (ovector[0]);
+	char **substrs;
+
+	// todo: max match count check
+
+	for (i = 0; i < ovector_len; ++i) {
+		ovector[i] = -1;
+	}
+
+	struct pcre_extra extra;
+	extra.match_limit_recursion = OSCAP_PCRE_EXEC_RECURSION_LIMIT_DEFAULT;
+	char *limit_str = getenv("OSCAP_PCRE_EXEC_RECURSION_LIMIT");
+	if (limit_str != NULL) {
+		unsigned long limit;
+		if (sscanf(limit_str, "%lu", &limit) == 1) {
+			extra.match_limit_recursion = limit;
+		}
+	}
+	extra.flags = PCRE_EXTRA_MATCH_LIMIT_RECURSION;
+#if defined(OS_SOLARIS)
+	rc = pcre_exec(re, &extra, str, strlen(str), *ofs, PCRE_NO_UTF8_CHECK, ovector, ovector_len);
+#else
+	rc = pcre_exec(re, &extra, str, strlen(str), *ofs, 0, ovector, ovector_len);
+#endif
+
+	if (rc < -1) {
+		dE("Function pcre_exec() failed to match a regular expression with return code %d on string '%s'.", rc, str);
+		return rc;
+	} else if (rc == -1) {
+		/* no match */
+		return 0;
+	}
+
+	*ofs = (*ofs == ovector[1]) ? ovector[1] + 1 : ovector[1];
+
+	if (!want_substrs) {
+		/* just report successful match */
+		return 1;
+	}
+
+	ret = 0;
+	if (rc == 0) {
+		/* vector too small */
+		// todo: report partial results
+		rc = ovector_len / 3;
+	}
+
+	substrs = malloc(rc * sizeof (char *));
+	for (i = 0; i < rc; ++i) {
+		int len;
+		char *buf;
+
+		if (ovector[2 * i] == -1) {
+			continue;
+		}
+		len = ovector[2 * i + 1] - ovector[2 * i];
+		buf = malloc(len + 1);
+		memcpy(buf, str + ovector[2 * i], len);
+		buf[len] = '\0';
+		substrs[ret] = buf;
+		++ret;
+	}
+
+	*substrings = substrs;
+
+	return ret;
+}
+
 #ifdef OS_WINDOWS
 char *oscap_windows_wstr_to_str(const wchar_t *wstr)
 {

src/common/util.h

@@ -31,6 +31,7 @@
 #include "public/oscap.h"
 #include <stdarg.h>
 #include <string.h>
+#include <pcre.h>
 #include "oscap_export.h"
 
 #ifndef __attribute__nonnull__
@@ -467,6 +468,19 @@ int oscap_strncasecmp(const char *s1, const char *s2, size_t n);
  */
 char *oscap_strerror_r(int errnum, char *buf, size_t buflen);
 
+/**
+ * Match a regular expression and return substrings.
+ * Caller is responsible for freeing the returned array.
+ * @param str subject string
+ * @param ofs starting offset in str
+ * @param re compiled regular expression
+ * @param want_substrs if non-zero, substrings will be returned
+ * @param substrings contains returned substrings
+ * @return count of matched substrings, 0 if no match
+ * negative value on failure
+ */
+int oscap_get_substrings(char *str, int *ofs, pcre *re, int want_substrs, char ***substrings);
+
 #ifdef OS_WINDOWS
 /**
  * Convert wide character string to a C string (UTF-16 to UTF-8)