From a2f2f7a0dd8a2536a1688c63bc34431f17baae54 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 4 May 2020 12:28:52 -0700 Subject: [PATCH] Prevent IP fragment reassembly on packets without minimal IP header The IP fragment reassembly process assumes a packet contains at least the minimum IP header, but such a check did not previously occur, resulting in a heap buffer over-read. For example, a self-reported IPv4 IHL field with a value less than minimum IPv4 header length of 20 bytes. Such packets likely aren't routable on their own, but one can create an artifical pcap like that or possibly encapsulate it within another protocol to trigger this bug. --- src/Sessions.cc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/Sessions.cc b/src/Sessions.cc index dc8158ec00..f4e2864d77 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -247,6 +247,23 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr return; } + if ( ip_hdr->IP4_Hdr() ) + { + if ( ip_hdr_len < sizeof(struct ip) ) + { + Weird("IPv4_min_header_size", pkt); + return; + } + } + else + { + if ( ip_hdr_len < sizeof(struct ip6_hdr) ) + { + Weird("IPv6_min_header_size", pkt); + return; + } + } + // Ignore if packet matches packet filter. if ( packet_filter && packet_filter->Match(ip_hdr, len, caplen) ) return;