Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fixing memory leaks in SSL analyzer.

Browse source
This commit is contained in:
Seth Hall 2011-07-01 12:21:50 -04:00
parent bab76be87a
commit 0dbfebc2f8
3 changed files with 36 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/bro.bif
View file

@ -3406,7 +3406,7 @@ function x509_verify%(der_cert: string, cert_stack: string_vec, root_certs: tabl
BroString* s = convert_index_to_string(root_certs); BroString* s = convert_index_to_string(root_certs);
if ( x509_stores.count(*s) > 0 ) if ( x509_stores.count(*s) > 0 )
ctx = x509_stores[*s]; ctx = x509_stores[*s];
if ( ! ctx ) // lookup to see if we have this one built already! if ( ! ctx ) // lookup to see if we have this one built already!
{ {
ctx = X509_STORE_new(); ctx = X509_STORE_new();
@ -3427,10 +3427,12 @@ function x509_verify%(der_cert: string, cert_stack: string_vec, root_certs: tabl
} }
X509_STORE_add_cert(ctx, x); X509_STORE_add_cert(ctx, x);
} }
delete idxs;
// Save the newly constructed certificate store into the cacheing map. // Save the newly constructed certificate store into the cacheing map.
x509_stores[*s] = ctx; x509_stores[*s] = ctx;
} }
delete s;
STACK_OF(X509)* untrusted_certs = sk_X509_new_null(); STACK_OF(X509)* untrusted_certs = sk_X509_new_null();
if ( ! untrusted_certs ) if ( ! untrusted_certs )
@ -3445,8 +3447,10 @@ function x509_verify%(der_cert: string, cert_stack: string_vec, root_certs: tabl
StringVal *sv = cert_stack_vec->Lookup(i)->AsStringVal(); StringVal *sv = cert_stack_vec->Lookup(i)->AsStringVal();
const uint8 *data = sv->Bytes(); const uint8 *data = sv->Bytes();
X509* x = d2i_X509_(NULL, &data, sv->Len()); X509* x = d2i_X509_(NULL, &data, sv->Len());
Unref(sv);
if ( ! x ) if ( ! x )
{ {
sk_X509_free(untrusted_certs);
builtin_run_time(fmt("Untrusted certificate stack creation error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); builtin_run_time(fmt("Untrusted certificate stack creation error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
return new Val((uint64) ERR_get_error(), TYPE_COUNT); return new Val((uint64) ERR_get_error(), TYPE_COUNT);
} }
@ -3470,7 +3474,8 @@ function x509_verify%(der_cert: string, cert_stack: string_vec, root_certs: tabl
X509_STORE_CTX_cleanup(&csc); X509_STORE_CTX_cleanup(&csc);
if ( untrusted_certs ) if ( untrusted_certs )
sk_X509_pop_free(untrusted_certs, X509_free); sk_X509_free(untrusted_certs);
X509_free(cert);
return new Val((uint64) csc.error, TYPE_COUNT); return new Val((uint64) csc.error, TYPE_COUNT);
%} %}

57
src/ssl-analyzer.pac
View file

@ -72,22 +72,12 @@ function version_ok(vers : uint16) : bool
} }
%} %}
function convert_ciphers_uint24(ciph : uint24[]) : int[]
%{
vector<int>* newciph = new vector<int>();
std::transform(ciph->begin(), ciph->end(),
std::back_inserter(*newciph), to_int());
return newciph;
%}
function convert_ciphers_uint16(ciph : uint16[]) : int[] function convert_ciphers_uint16(ciph : uint16[]) : int[]
%{ %{
vector<int>* newciph = new vector<int>(); vector<int>* newciph = new vector<int>();
std::copy(ciph->begin(), ciph->end(), std::copy(ciph->begin(), ciph->end(), std::back_inserter(*newciph));
std::back_inserter(*newciph));
return newciph; return newciph;
%} %}
@ -141,7 +131,8 @@ refine connection SSL_Conn += {
function proc_client_hello(rec: SSLRecord, function proc_client_hello(rec: SSLRecord,
version : uint16, ts : double, version : uint16, ts : double,
session_id : uint8[], session_id : uint8[],
cipher_suites : int[]) : bool cipher_suites16 : uint16[],
cipher_suites24 : uint24[]) : bool
%{ %{
if ( state_ == STATE_TRACK_LOST ) if ( state_ == STATE_TRACK_LOST )
bro_analyzer()->ProtocolViolation(fmt("unexpected client hello message from %s in state %s", bro_analyzer()->ProtocolViolation(fmt("unexpected client hello message from %s in state %s",
@ -151,13 +142,15 @@ refine connection SSL_Conn += {
if ( ! version_ok(version) ) if ( ! version_ok(version) )
bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version)); bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version));
vector<int>* cipher_suites = new vector<int>();
if ( cipher_suites16 )
std::copy(cipher_suites16->begin(), cipher_suites16->end(), std::back_inserter(*cipher_suites));
else
std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(*cipher_suites), to_int());
if ( ssl_client_hello ) if ( ssl_client_hello )
{ {
BroType* count_t = base_type(TYPE_COUNT); TableVal* cipher_set = new TableVal(internal_type("count_set")->AsTableType());
TypeList* set_index = new TypeList(count_t);
set_index->Append(count_t);
SetType* s = new SetType(set_index, 0);
TableVal* cipher_set = new TableVal(s);
for ( unsigned int i = 0; i < cipher_suites->size(); ++i ) for ( unsigned int i = 0; i < cipher_suites->size(); ++i )
{ {
Val* ciph = new Val((*cipher_suites)[i], TYPE_COUNT); Val* ciph = new Val((*cipher_suites)[i], TYPE_COUNT);
@ -169,6 +162,8 @@ refine connection SSL_Conn += {
version, ts, version, ts,
to_string_val(session_id), to_string_val(session_id),
cipher_set); cipher_set);
delete cipher_suites;
} }
return true; return true;
@ -177,7 +172,8 @@ refine connection SSL_Conn += {
function proc_server_hello(rec: SSLRecord, function proc_server_hello(rec: SSLRecord,
version : uint16, ts : double, version : uint16, ts : double,
session_id : uint8[], session_id : uint8[],
cipher_suite : uint16, cipher_suites16 : uint16[],
cipher_suites24 : uint24[],
comp_method : uint8) : bool comp_method : uint8) : bool
%{ %{
if ( state_ == STATE_TRACK_LOST ) if ( state_ == STATE_TRACK_LOST )
@ -185,6 +181,13 @@ refine connection SSL_Conn += {
orig_label(${rec.is_orig}).c_str(), orig_label(${rec.is_orig}).c_str(),
state_label(old_state_).c_str())); state_label(old_state_).c_str()));
vector<int>* ciphers = new vector<int>();
if ( cipher_suites16 )
std::copy(cipher_suites16->begin(), cipher_suites16->end(), std::back_inserter(*ciphers));
else
std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(*ciphers), to_int());
if ( ! version_ok(version) ) if ( ! version_ok(version) )
bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version)); bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version));
@ -194,9 +197,10 @@ refine connection SSL_Conn += {
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
version, ts, version, ts,
to_string_val(session_id), to_string_val(session_id),
cipher_suite, comp_method); ciphers->at(0), comp_method);
} }
delete ciphers;
bro_analyzer()->ProtocolConfirmation(); bro_analyzer()->ProtocolConfirmation();
return true; return true;
%} %}
@ -224,7 +228,6 @@ refine connection SSL_Conn += {
if ( x509_certificate ) if ( x509_certificate )
{ {
X509* pCert = 0;
for ( unsigned int i = 0; i < certificates->size(); ++i ) for ( unsigned int i = 0; i < certificates->size(); ++i )
{ {
const bytestring& cert = (*certificates)[i]; const bytestring& cert = (*certificates)[i];
@ -267,11 +270,6 @@ refine connection SSL_Conn += {
// Are there any X509 extensions? // Are there any X509 extensions?
if ( x509_extension && X509_get_ext_count(pTemp) > 0 ) if ( x509_extension && X509_get_ext_count(pTemp) > 0 )
{ {
BroType* count_t = base_type(TYPE_COUNT);
TypeList* set_index = new TypeList(count_t);
set_index->Append(count_t);
SetType* s = new SetType(set_index, 0);
TableVal* x509ex = new TableVal(s);
int num_ext = X509_get_ext_count(pTemp); int num_ext = X509_get_ext_count(pTemp);
for ( int k = 0; k < num_ext; ++k ) for ( int k = 0; k < num_ext; ++k )
{ {
@ -296,6 +294,7 @@ refine connection SSL_Conn += {
} }
} }
} }
X509_free(pTemp);
} }
} }
return true; return true;
@ -397,26 +396,26 @@ refine typeattr ApplicationData += &let {
refine typeattr ClientHello += &let { refine typeattr ClientHello += &let {
proc : bool = $context.connection.proc_client_hello(rec, client_version, proc : bool = $context.connection.proc_client_hello(rec, client_version,
gmt_unix_time, gmt_unix_time,
session_id, convert_ciphers_uint16(csuits)) session_id, csuits, 0)
&requires(state_changed); &requires(state_changed);
}; };
refine typeattr V2ClientHello += &let { refine typeattr V2ClientHello += &let {
proc : bool = $context.connection.proc_client_hello(rec, client_version, 0, proc : bool = $context.connection.proc_client_hello(rec, client_version, 0,
session_id, convert_ciphers_uint24(ciphers)) session_id, 0, ciphers)
&requires(state_changed); &requires(state_changed);
}; };
refine typeattr ServerHello += &let { refine typeattr ServerHello += &let {
proc : bool = $context.connection.proc_server_hello(rec, server_version, proc : bool = $context.connection.proc_server_hello(rec, server_version,
gmt_unix_time, session_id, cipher_suite, gmt_unix_time, session_id, cipher_suite, 0,
compression_method) compression_method)
&requires(state_changed); &requires(state_changed);
}; };
refine typeattr V2ServerHello += &let { refine typeattr V2ServerHello += &let {
proc : bool = $context.connection.proc_server_hello(rec, server_version, 0, 0, proc : bool = $context.connection.proc_server_hello(rec, server_version, 0, 0,
convert_ciphers_uint24(ciphers)[0], 0) 0, ciphers, 0)
&requires(state_changed); &requires(state_changed);
cert : bool = $context.connection.proc_v2_certificate(rec, cert_data) cert : bool = $context.connection.proc_v2_certificate(rec, cert_data)

2
src/ssl-protocol.pac
View file

@ -433,7 +433,7 @@ type ServerHello(rec: SSLRecord) = record {
random_bytes : bytestring &length = 28 &transient; random_bytes : bytestring &length = 28 &transient;
session_len : uint8; session_len : uint8;
session_id : uint8[session_len]; session_id : uint8[session_len];
cipher_suite : uint16; cipher_suite : uint16[1];
compression_method : uint8; compression_method : uint8;
} &let { } &let {
state_changed : bool = state_changed : bool =