fuzz: use lower pcre limits

to avoid timeouts instead of forbidding pcre signatures on stream Ticket: 4858
OISF · Jan 7, 2025 · fc01539 · fc01539
1 parent def22fa
commit fc01539
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 19 deletions.
diff --git a/src/detect-content.c b/src/detect-content.c
@@ -453,25 +453,6 @@ void SigParseRequiredContentSize(
  */
 bool DetectContentPMATCHValidateCallback(const Signature *s)
 {
-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-    bool has_pcre = false;
-    bool has_content = false;
-    for (SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) {
-        if (sm->type == DETECT_PCRE) {
-            has_pcre = true;
-        } else if (sm->type == DETECT_CONTENT) {
-            has_content = true;
-            break;
-        }
-    }
-    if (has_pcre && !has_content) {
-        // Fuzzing does not allow rules with pcre and without content on payload
-        // as it is known to be a bad rule for performance causing possible timeouts
-        // Engine analysis has more generic warn_pcre_no_content about this
-        return false;
-    }
-#endif
-
     if (!(s->flags & SIG_FLAG_DSIZE)) {
         return true;
     }

diff --git a/src/detect-pcre.h b/src/detect-pcre.h
@@ -36,8 +36,13 @@
 
 #define DETECT_PCRE_CAPTURE_MAX         8
 
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+#define SC_MATCH_LIMIT_DEFAULT           350
+#define SC_MATCH_LIMIT_RECURSION_DEFAULT 150
+#else
 #define SC_MATCH_LIMIT_DEFAULT           3500
 #define SC_MATCH_LIMIT_RECURSION_DEFAULT 1500
+#endif
 
 typedef struct DetectPcreData_ {
     DetectParseRegex parse_regex;