From 77563fd27c73e2a3bae536a94b98bb0f634a9e43 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 21 Mar 2024 09:38:25 +0100
Subject: [PATCH 1/7] conf: avoid quadratic complexity

Ticket: 6878

Follow up on 15649424a76d01eb332d85620ffc4956d4f3d9be

When adding many sequence nodes, either from start or scalar event

We add "sequence nodes" whose name is an integer cf sequence_node_name
and then run ConfNodeLookupChild to see if it had been already set
(from the command line cf comment in the code)
And ConfNodeLookupChild iterates the whole linked list...

1. We add node 1
2. To add node 2, we check if node 1 equals this new node
3. To add node 3, we check if nodes 1, or 2 equals this new node's name
And so on...

This commits avoids these checks ig the list is empty at the beginning

(cherry picked from commit 240e068b81275e287ffe6555d4c457a0b3916066)
---
 src/conf-yaml-loader.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/conf-yaml-loader.c b/src/conf-yaml-loader.c
index 0c7abd58ad1b..221064a0fcf2 100644
--- a/src/conf-yaml-loader.c
+++ b/src/conf-yaml-loader.c
@@ -358,8 +358,19 @@ ConfYamlParse(yaml_parser_t *parser, ConfNode *parent, int inseq, int rlevel)
             if (inseq) {
                 char sequence_node_name[DEFAULT_NAME_LEN];
                 snprintf(sequence_node_name, DEFAULT_NAME_LEN, "%d", seq_idx++);
-                ConfNode *seq_node = ConfNodeLookupChild(node,
-                    sequence_node_name);
+                ConfNode *seq_node = NULL;
+                if (was_empty < 0) {
+                    // initialize was_empty
+                    if (TAILQ_EMPTY(&node->head)) {
+                        was_empty = 1;
+                    } else {
+                        was_empty = 0;
+                    }
+                }
+                // we only check if the node's list was not empty at first
+                if (was_empty == 0) {
+                    seq_node = ConfNodeLookupChild(node, sequence_node_name);
+                }
                 if (seq_node != NULL) {
                     /* The sequence node has already been set, probably
                      * from the command line.  Remove it so it gets

From 708b583d8dddc2d2d6cfa67befdf1f015e2e6deb Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 21 Mar 2024 16:02:23 +0100
Subject: [PATCH 2/7] rust: fix clippy 1.77 warning

Ticket: 6883

error: field `0` is never read
  --> src/asn1/mod.rs:36:14
   |
36 |     BerError(Err<der_parser::error::BerError>),
   |     -------- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   |     |
   |     field in this variant
   |

(cherry picked from commit 02f2fb88333af767ab3b171643357d607f4e86f6)
---
 rust/src/asn1/mod.rs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rust/src/asn1/mod.rs b/rust/src/asn1/mod.rs
index 6f8364898dc9..feddc3d008e5 100644
--- a/rust/src/asn1/mod.rs
+++ b/rust/src/asn1/mod.rs
@@ -30,7 +30,7 @@ pub struct Asn1<'a>(Vec<BerObject<'a>>);
 enum Asn1DecodeError {
     InvalidKeywordParameter,
     MaxFrames,
-    BerError(nom::Err<der_parser::error::BerError>),
+    BerError,
 }
 
 /// Enumeration of Asn1 checks
@@ -276,8 +276,8 @@ impl From<std::num::TryFromIntError> for Asn1DecodeError {
 }
 
 impl From<nom::Err<der_parser::error::BerError>> for Asn1DecodeError {
-    fn from(e: nom::Err<der_parser::error::BerError>) -> Asn1DecodeError {
-        Asn1DecodeError::BerError(e)
+    fn from(_e: nom::Err<der_parser::error::BerError>) -> Asn1DecodeError {
+        Asn1DecodeError::BerError
     }
 }
 

From 683d5c5be4e3739ede327c109b1b70a73a0c8d57 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 21 Mar 2024 22:45:41 +0100
Subject: [PATCH 3/7] rust/mqtt: fix clippy 1.77 warning

error: creating a mutable reference to mutable static is discouraged
   --> src/mqtt/mqtt.rs:752:23
    |
752 |     let max_msg_len = &mut MAX_MSG_LEN;
    |                       ^^^^^^^^^^^^^^^^ mutable reference to mutable static
    |
    = note: for more information, see issue #114447 <https://github.com/rust-lang/rust/issues/114447>
    = note: this will be a hard error in the 2024 edition
    = note: this mutable reference has lifetime `'static`, but if the static gets accessed (read or written) by any other means, or any other reference is created, then any further use of this mutable reference is Undefined Behavior
---
 rust/src/mqtt/mqtt.rs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rust/src/mqtt/mqtt.rs b/rust/src/mqtt/mqtt.rs
index 7cd5394d49f7..5f210be8b90d 100644
--- a/rust/src/mqtt/mqtt.rs
+++ b/rust/src/mqtt/mqtt.rs
@@ -838,8 +838,7 @@ export_tx_data_get!(rs_mqtt_get_tx_data, MQTTTransaction);
 #[no_mangle]
 pub unsafe extern "C" fn rs_mqtt_register_parser(cfg_max_msg_len: u32) {
     let default_port = CString::new("[1883]").unwrap();
-    let max_msg_len = &mut MAX_MSG_LEN;
-    *max_msg_len = cfg_max_msg_len;
+    MAX_MSG_LEN = cfg_max_msg_len;
     let parser = RustParser {
         name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char,
         default_port: default_port.as_ptr(),

From 9e4dfb2d759f69f84b71eb27f7fa098f0f647c4d Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Sun, 3 Dec 2023 21:15:36 +0100
Subject: [PATCH 4/7] defrag: match up v4 and v6 packet setup

v4 was doing redundant recursion level setup.

v6 was missing PKT_REBUILT_FRAGMENT flag.

(cherry picked from commit af97316f42c6616536dc8012577827fee9a56f11)
---
 src/defrag.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/defrag.c b/src/defrag.c
index e02cd9c073a0..6b17f9073845 100644
--- a/src/defrag.c
+++ b/src/defrag.c
@@ -295,7 +295,6 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p)
     }
     PKT_SET_SRC(rp, PKT_SRC_DEFRAG);
     rp->flags |= PKT_REBUILT_FRAGMENT;
-    rp->recursion_level = p->recursion_level;
 
     int fragmentable_offset = 0;
     int fragmentable_len = 0;
@@ -433,6 +432,7 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p)
         goto error_remove_tracker;
     }
     PKT_SET_SRC(rp, PKT_SRC_DEFRAG);
+    rp->flags |= PKT_REBUILT_FRAGMENT;
 
     int unfragmentable_len = 0;
     int fragmentable_offset = 0;

From 677abc69679eab694dba483bcfd44e1a27d174c6 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Sat, 23 Mar 2024 20:17:54 +0100
Subject: [PATCH 5/7] defrag: fix wrong datalink being logged

Eve's packet_info.linktype should correctly indicated what the `packet`
field contains. Until now it was using DLT_RAW even if Ethernet or other
L2+ headers were present.

This commit records the datalink of the packet creating the first
fragment, which can include the L2+ header data.

Bug: #6887.
(cherry picked from commit 49c67b2bb1baa84b7105bca82afe6909be890855)
---
 src/decode.c | 1 -
 src/defrag.c | 5 +++++
 src/defrag.h | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/decode.c b/src/decode.c
index 45301f78d715..5eeb85a78f97 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -408,7 +408,6 @@ Packet *PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, u
     p->recursion_level = parent->recursion_level; /* NOT incremented */
     p->ts.tv_sec = parent->ts.tv_sec;
     p->ts.tv_usec = parent->ts.tv_usec;
-    p->datalink = DLT_RAW;
     p->tenant_id = parent->tenant_id;
     /* tell new packet it's part of a tunnel */
     SET_TUNNEL_PKT(p);
diff --git a/src/defrag.c b/src/defrag.c
index 6b17f9073845..d2fa4ffff460 100644
--- a/src/defrag.c
+++ b/src/defrag.c
@@ -295,6 +295,7 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p)
     }
     PKT_SET_SRC(rp, PKT_SRC_DEFRAG);
     rp->flags |= PKT_REBUILT_FRAGMENT;
+    rp->datalink = tracker->datalink;
 
     int fragmentable_offset = 0;
     int fragmentable_len = 0;
@@ -433,6 +434,7 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p)
     }
     PKT_SET_SRC(rp, PKT_SRC_DEFRAG);
     rp->flags |= PKT_REBUILT_FRAGMENT;
+    rp->datalink = tracker->datalink;
 
     int unfragmentable_len = 0;
     int fragmentable_offset = 0;
@@ -861,6 +863,9 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragTracker *tracker,
 #ifdef DEBUG
     new->pcap_cnt = pcap_cnt;
 #endif
+    if (frag_offset == 0) {
+        tracker->datalink = p->datalink;
+    }
 
     IP_FRAGMENTS_RB_INSERT(&tracker->fragment_tree, new);
 
diff --git a/src/defrag.h b/src/defrag.h
index 771616e4ddaf..7fd08262ffde 100644
--- a/src/defrag.h
+++ b/src/defrag.h
@@ -105,6 +105,7 @@ typedef struct DefragTracker_ {
     Address dst_addr; /**< Destination address for this tracker. */
 
     struct timeval timeout; /**< When this tracker will timeout. */
+    int datalink;           /**< datalink for reassembled packet, set by first fragment */
     uint32_t host_timeout;  /**< Host timeout, statically assigned from the yaml */
 
     /** use cnt, reference counter */

From 04b6b96eb7a9e0f62f2f7a0fbe4583d9c3601f75 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Fri, 12 Apr 2024 11:02:13 +0200
Subject: [PATCH 6/7] pcap: support LINKTYPE_IPV6 (229)

This is just another variant of DLT_RAW.

Ticket: #6943.
(cherry picked from commit 76322368ed3ef89c04082939c58535c7234d7173)
---
 src/decode.h                  | 1 +
 src/source-pcap-file-helper.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/decode.h b/src/decode.h
index a77c7c7f18ca..eeb292fa26c9 100644
--- a/src/decode.h
+++ b/src/decode.h
@@ -1150,6 +1150,7 @@ void DecodeUnregisterCounters(void);
  * Libpcap on at least OpenBSD returns 101 as datalink type for RAW pcaps though. */
 #define LINKTYPE_RAW2        101
 #define LINKTYPE_IPV4        228
+#define LINKTYPE_IPV6        229
 #define LINKTYPE_GRE_OVER_IP 778
 #define LINKTYPE_CISCO_HDLC  DLT_C_HDLC
 #define PPP_OVER_GRE         11
diff --git a/src/source-pcap-file-helper.c b/src/source-pcap-file-helper.c
index 9f13a4c17e8d..6300601419bf 100644
--- a/src/source-pcap-file-helper.c
+++ b/src/source-pcap-file-helper.c
@@ -252,6 +252,7 @@ TmEcode ValidateLinkType(int datalink, DecoderFunc *DecoderFn)
             *DecoderFn = DecodePPP;
             break;
         case LINKTYPE_IPV4:
+        case LINKTYPE_IPV6:
         case LINKTYPE_RAW:
         case LINKTYPE_RAW2:
         case LINKTYPE_GRE_OVER_IP:

From f1091ba21fda00e41b1f4d120f545305e92c41a2 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Thu, 28 Mar 2024 10:43:46 +0100
Subject: [PATCH 7/7] detect/http: fix compile warning in body tests

When --enable-unittests w/o --enable-debug is used.

(cherry picked from commit e651cf922a02f5882593a23bd2ed9327a5e8d2cc)
---
 src/tests/detect-http-client-body.c | 1 +
 src/tests/detect-http-server-body.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/tests/detect-http-client-body.c b/src/tests/detect-http-client-body.c
index 2532b4a7ab0c..59fb161918aa 100644
--- a/src/tests/detect-http-client-body.c
+++ b/src/tests/detect-http-client-body.c
@@ -157,6 +157,7 @@ static int RunTest (struct TestSteps *steps, const char *sig, const char *yaml)
     int i = 0;
     while (b->input != NULL) {
         SCLogDebug("chunk %p %d", b, i);
+        (void)i;
         Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
         FAIL_IF_NULL(p);
         p->flow = &f;
diff --git a/src/tests/detect-http-server-body.c b/src/tests/detect-http-server-body.c
index 3b6379493017..960beae6d897 100644
--- a/src/tests/detect-http-server-body.c
+++ b/src/tests/detect-http-server-body.c
@@ -117,6 +117,7 @@ static int RunTest(struct TestSteps *steps, const char *sig, const char *yaml)
     int i = 0;
     while (b->input != NULL) {
         SCLogDebug("chunk %p %d", b, i);
+        (void)i;
         Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
         FAIL_IF_NULL(p);
         p->flow = &f;