From 1b9ee38e6933fbaf1db5822ab0e3088e41435c49 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sun, 30 Aug 2015 18:49:05 -0700
Subject: [PATCH] Fix potential crash TCP headers were captured incompletely.

Test case provided by Jonathan Ganz.

BIT-1425 #close
---
 src/analyzer/protocol/tcp/TCP.cc              |   2 +-
 .../Baseline/core.tcp.truncated-header/out    |  23 ++++++++++++++++++
 .../btest/Traces/tcp/truncated-header.pcap    | Bin 0 -> 1722 bytes
 testing/btest/core/tcp/truncated-header.bro   |   9 +++++++
 4 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/core.tcp.truncated-header/out
 create mode 100644 testing/btest/Traces/tcp/truncated-header.pcap
 create mode 100644 testing/btest/core/tcp/truncated-header.bro

diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc
index 72cad8a05c..258fdfcf58 100644
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@@ -442,7 +442,7 @@ const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data,
 		}
 
 	if ( tcp_hdr_len > uint32(len) ||
-	     sizeof(struct tcphdr) > uint32(caplen) )
+	     tcp_hdr_len > uint32(caplen) )
 		{
 		// This can happen even with the above test, due to TCP
 		// options.
diff --git a/testing/btest/Baseline/core.tcp.truncated-header/out b/testing/btest/Baseline/core.tcp.truncated-header/out
new file mode 100644
index 0000000000..df112791b4
--- /dev/null
+++ b/testing/btest/Baseline/core.tcp.truncated-header/out
@@ -0,0 +1,23 @@
+1103139821.635001, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139821.833528, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139821.841126, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.039902, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.040151, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.040254, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.040878, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.240529, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.240632, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.247627, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.450278, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.450381, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.453253, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.65178, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.651883, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.652756, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.882264, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.933982, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.934084, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.934209, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139822.934214, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139823.145731, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+1103139823.145958, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
diff --git a/testing/btest/Traces/tcp/truncated-header.pcap b/testing/btest/Traces/tcp/truncated-header.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b7a6817f1f399d5cd159ce2c9a07c65110dfab74
GIT binary patch
literal 1722
zcmaKsZ%9*77>AE@&5f2!3Eix4lGLJ<Mj~crSL`3Aa&r<2<<`tk5d_vs=z|g#T0}aD
zV3|pgLTM6FBqfqU^dYiZS|8k2ih((ksJ0P|-goapz4xrag>8(7=lPw(+#?UW6->$g
zy>`Q!IC%Wd;i78~Gz>qNz%%=MZC2O2#+BE1Je^asJ&YCP`2@C2rTy}1u(P-^J}u;T
zF+*YMX%GCE-FlHSc6FRFg>uCsr9!QSuK<e7h5-%BhmQsD5RJ$Y=9W$K0uxk;)5t?E
zGx%LXsG<V6UR$z{HDwYLNx>&tmK!C>>`Zl6(9X9{V&?^#MbxE?*^|lV?gyf@@_f$K
zPNI+dj>N};KB9iw*ipyWJh*sV>_09U7Ieux&vEHNm!m^OnYclea&VCq31@SV^16jf
z(F5fsQ3^X3U1STJJ`G}#b&aH`2Z{osZd%=Of++o6L{Y%G$tXV?o+D+bluLnKoJ~Y&
zyB8nX<s`4ju6>3@c|J)|KnPjtMZLjTv!5uzD201xOmTDQk~_QH#Zq6G>M)DCsTpSr
zQ4YK$mt(w>K6GjrDI;IG6f80jWyYh56jkwxN;ZDRqIK_=7dgyO)Qv?)f<!6v5`|y%
z@glm|$|Ww{Py}~(D(uW4O7kpHnt4TMzV#xd)WfAfQF|{@ls`1F?{4<$Q7kfRB}En}
zT8I?gCd%<86xn?-jlV?~yHet^07cbs>(bf>h~oZ5E@ix;UHNTD31@LBSagXfRgP7$
zi%cbtvFJ~_q^Md5RVIi!IHL}t)Ch^ODcR~ir0iVJrQk_lAj;?xihP&LJy>)<dwEf1
z0_<Xq?BXO!Q4zUVdAl6czd=g6<fNk%+~qJ)_C_iETc-^nW%H!OWoyJG2`IIUeTV<L
x;_ZsqyO?xd+$AR<*~JR$n#Cm8B}&<lzethq(i%pWz6pto8C-0zi?Q9#*k7sNT>}6B

literal 0
HcmV?d00001

diff --git a/testing/btest/core/tcp/truncated-header.bro b/testing/btest/core/tcp/truncated-header.bro
new file mode 100644
index 0000000000..f3ae369b2e
--- /dev/null
+++ b/testing/btest/core/tcp/truncated-header.bro
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -b -r $TRACES/tcp/truncated-header.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event tcp_packet(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string)
+	{
+	# Just having this handler used to crash Bro on this trace.
+        print network_time(), c$id;
+	}
+