pop3: Prevent unbounded state growth

The cmds list may grow unbounded due to the POP3 analyzer being in multiLine mode after seeing `AUTH` in a Redis connection, but never a `.` terminator. This can easily be provoked by the Redis ping command. This adds two heuristics: 1) Forcefully process the oldest commands in the cmds list and cap it at max_pending_commands. 2) Start raising analyzer violations if the client has been using more than max_unknown_client_commands commands (default 10). Closes #3936
2025-10-02 06:38:20 +00:00 · 2024-09-18 17:31:58 +02:00 · 2024-09-18 17:31:58 +02:00 · cf9fe91705
commit cf9fe91705
parent b4fdce8d5b
16 changed files with 130 additions and 3 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -2903,6 +2903,22 @@ export {

 } # end export

+module POP3;
+
+export {
+	## How many commands a POP3 client may have pending
+	## before Zeek forcefully removes the oldest.
+	##
+	## Setting this value to 0 removes the limit.
+	const max_pending_commands = 10 &redef;
+
+	## How many invalid commands a POP3 client may use
+	## before Zeek starts raising analyzer violations.
+	##
+	## Setting this value to 0 removes the limit.
+	const max_unknown_client_commands = 10 &redef;
+
+} # end export

 module Threading;