Skip to content

Commit

Permalink
Added capping logic for sFlow counter and flow samples to reduce chan…
Browse files Browse the repository at this point in the history
…es of DoS
  • Loading branch information
pavel-odintsov committed Dec 12, 2024
1 parent 5164a29 commit 919a5bd
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 0 deletions.
6 changes: 6 additions & 0 deletions src/libsflow/libsflow.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@ const uint32_t max_udp_packet_size = 65535;
// We need to limit number of samples by reasonable number
const int32_t max_sflow_sample_number = 256;

// We need to limit number of counter samples by reasonable number
const uint32_t max_number_of_counter_records = 256;

// We need to limit number of flow samples by reasonable number
const uint32_t max_number_of_flow_records = 256;

enum class sflow_sample_type_t : unsigned int {
FLOW_SAMPLE = 1,
COUNTER_SAMPLE = 2,
Expand Down
19 changes: 19 additions & 0 deletions src/sflow_plugin/sflow_collector.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,17 @@ bool process_sflow_flow_sample(const uint8_t* data_pointer,
return false;
}

if (sflow_sample_header_unified_accessor.get_number_of_flow_records() > max_number_of_flow_records) {
logger << log4cpp::Priority::ERROR << plugin_log_prefix << "flow records number "
<< sflow_sample_header_unified_accessor.get_number_of_flow_records()
<< " exceeds maximum value "
<< max_number_of_flow_records;

sflow_bad_flow_samples++;

return false;
}

const uint8_t* flow_record_zone_start = data_pointer + sflow_sample_header_unified_accessor.get_original_payload_length();

std::vector<record_tuple_t> vector_tuple;
Expand Down Expand Up @@ -609,6 +620,14 @@ bool process_sflow_counter_sample(const uint8_t* data_pointer,
return false;
}

if (sflow_counter_header_unified_accessor.get_number_of_counter_records() > max_number_of_counter_records) {
logger << log4cpp::Priority::ERROR << plugin_log_prefix << "number of counter records "
<< sflow_counter_header_unified_accessor.get_number_of_counter_records()
<< " exceeds maximum value "
<< max_number_of_counter_records;
return false;
}

std::vector<counter_record_sample_t> counter_record_sample_vector;
counter_record_sample_vector.reserve(sflow_counter_header_unified_accessor.get_number_of_counter_records());

Expand Down

0 comments on commit 919a5bd

Please sign in to comment.