Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 14:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

ftp: Introduce FTP::max_command_length

Browse source 
oss-fuzz produced FTP traffic with a ~550KB long FTP command. Cap FTP command
length at 100 bytes, log a weird if a command is larger than that and move
on to the next. Likely it's not actual FTP traffic, but raising an
analyzer violation would allow clients an easy way to disable the analyzer
by sending an overly long command.

The added test PCAP was generated using a fake Python socket server/client.
This commit is contained in:
Arne Welzel 2022-11-15 21:27:53 +01:00
parent ee8e2decec
commit 3f5cb75a2a
10 changed files with 83 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/analyzer/protocol/ftp/FTP.cc
View file

@ -96,6 +96,17 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
// Weird("FTP command missing", end_of_line - orig_line, orig_line);
cmd_str = new StringVal("<missing>");
}
else if ( BifConst::FTP::max_command_length > 0 &&
static_cast<zeek_uint_t>(cmd_len) > BifConst::FTP::max_command_length )
{
// If the FTP command is unusually long, log a weird if the analyzer
// has previously been confirmed, but otherwise just ignore the whole
// line and move on to the next.
if ( AnalyzerConfirmed() )
Weird("FTP_max_command_length_exceeded", util::fmt("%d", cmd_len));
return;
}
else
cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();