lua: Add config override for lua sandbox limits

J0eJ0h · Jan 29, 2024 · a9df34a · a9df34a
1 parent 7f345b7
commit a9df34a
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 10 deletions.
diff --git a/src/detect-lua.c b/src/detect-lua.c
@@ -105,9 +105,6 @@ static void DetectLuaRegisterTests(void);
 static void DetectLuaFree(DetectEngineCtx *, void *);
 static int g_smtp_generic_list_id = 0;
 
-// TODO: move to config
-static const uint64_t g_lua_alloc_limit = 500000, g_lua_instruction_limit = 500000;
-
 /**
  * \brief Registration function for keyword: lua
  */
@@ -167,6 +164,10 @@ void DetectLuaRegister(void)
 
 #define DATATYPE_BUFFER BIT_U32(22)
 
+// TODO: move to config
+#define DEFAULT_LUA_ALLOC_LIMIT 500000
+#define DEFAULT_LUA_INSTRUCTION_LIMIT 500000
+
 #if 0
 /** \brief dump stack from lua state to screen */
 void LuaDumpStack(lua_State *state)
@@ -607,7 +608,7 @@ static void *DetectLuaThreadInit(void *data)
     t->alproto = lua->alproto;
     t->flags = lua->flags;
 
-    t->luastate = sb_newstate(g_lua_alloc_limit, g_lua_instruction_limit);
+    t->luastate = sb_newstate(lua->alloc_limit, lua->instruction_limit);
     if (t->luastate == NULL) {
         SCLogError("luastate pool depleted");
         goto error;
@@ -709,7 +710,7 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld, const
 {
     int status;
 
-    lua_State *luastate = sb_newstate(g_lua_alloc_limit, g_lua_instruction_limit);
+    lua_State *luastate = sb_newstate(ld->alloc_limit, ld->instruction_limit);
     if (luastate == NULL)
         return -1;
     luaL_openlibs(luastate); // TODO: get sandbox config and load appropriate libs
@@ -1020,12 +1021,20 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *st
     if (!enabled) {
         SCLogError("Lua rules disabled by security configuration: security.lua.allow-rules");
         goto error;
-    }
+    }    
 
     lua = DetectLuaParse(de_ctx, str);
     if (lua == NULL)
         goto error;
 
+    /* Load lua sandbox configurations */
+    intmax_t lua_alloc_limit = DEFAULT_LUA_ALLOC_LIMIT;  
+    intmax_t lua_instruction_limit = DEFAULT_LUA_INSTRUCTION_LIMIT;
+    (void)ConfGetInt("security.lua.max-bytes", &lua_alloc_limit);
+    (void)ConfGetInt("security.lua.max-instructions", &lua_instruction_limit);
+    lua->alloc_limit = lua_alloc_limit;
+    lua->instruction_limit = lua_instruction_limit;
+
     if (DetectLuaSetupPrime(de_ctx, lua, s) == -1) {
         goto error;
     }

diff --git a/src/detect-lua.h b/src/detect-lua.h
@@ -55,6 +55,8 @@ typedef struct DetectLuaData {
     uint32_t sid;
     uint32_t rev;
     uint32_t gid;
+    uint64_t alloc_limit;
+    uint64_t instruction_limit;
 } DetectLuaData;
 
 #endif /* HAVE_LUA */

diff --git a/src/util-lua-sandbox.c b/src/util-lua-sandbox.c
@@ -64,8 +64,9 @@ static void *sb_alloc(void *ud, void *ptr, size_t osize, size_t nsize)
             return NULL;
         }
         void *nptr = SCRealloc(ptr, nsize);
-
-        ctx->alloc_bytes += nsize;
+        if(nptr != NULL) {
+            ctx->alloc_bytes += nsize;
+        }
         return nptr;
     }
 }
@@ -77,7 +78,7 @@ static const luaL_Reg sb_restrictedlibs[] = { { LUA_GNAME, luaopen_base },
     //  {LUA_LOADLIBNAME, luaopen_package},
     //  {LUA_COLIBNAME, luaopen_coroutine},
     { LUA_TABLIBNAME, luaopen_table },
-    //{LUA_IOLIBNAME, luaopen_io},
+    //  {LUA_IOLIBNAME, luaopen_io},
     //  {LUA_OSLIBNAME, luaopen_os},
     { LUA_STRLIBNAME, luaopen_string }, { LUA_MATHLIBNAME, luaopen_math },
     { LUA_UTF8LIBNAME, luaopen_utf8 },
@@ -143,7 +144,7 @@ lua_State *sb_newstate(uint64_t alloclimit, uint64_t instructionlimit)
     }
     if (sb->L == NULL) {
         // TODO: log or error code?
-        free(sb);
+        SCFree(sb);
         return NULL;
     }