Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix undefined behavior via casting file analyzers to protocol analyzers

Browse source 
When generating some events for PE and X509 file analyzers, there's
an invalid cast from file_analysis::Analyzer to analyzer::Analyzer
and subsequent invalid member access via analyzer::Analyzer::GetID()
called on what is really a pointer to a file analyzer.
This commit is contained in:
Jon Siwek 2019-07-26 18:26:39 -07:00
parent 3de730957f
commit 4d0e9491bc
2 changed files with 27 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

36
src/file_analysis/analyzer/pe/pe-analyzer.pac
View file

@ -61,9 +61,10 @@ refine flow File += {
dh->Assign(15, val_mgr->GetCount(${h.OEMinfo}));
dh->Assign(16, val_mgr->GetCount(${h.AddressOfNewExeHeader}));
BifEvent::generate_pe_dos_header((analyzer::Analyzer *) connection()->bro_analyzer(),
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
dh);
mgr.QueueEventFast(pe_dos_header, {
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
dh
});
}
return true;
%}
@ -72,9 +73,10 @@ refine flow File += {
%{
if ( pe_dos_code )
{
BifEvent::generate_pe_dos_code((analyzer::Analyzer *) connection()->bro_analyzer(),
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
new StringVal(code.length(), (const char*) code.data()));
mgr.QueueEventFast(pe_dos_code, {
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
new StringVal(code.length(), (const char*) code.data())
});
}
return true;
%}
@ -100,9 +102,11 @@ refine flow File += {
fh->Assign(3, val_mgr->GetCount(${h.NumberOfSymbols}));
fh->Assign(4, val_mgr->GetCount(${h.SizeOfOptionalHeader}));
fh->Assign(5, characteristics_to_bro(${h.Characteristics}, 16));
BifEvent::generate_pe_file_header((analyzer::Analyzer *) connection()->bro_analyzer(),
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
fh);
mgr.QueueEventFast(pe_file_header, {
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
fh
});
}
return true;
@ -151,9 +155,10 @@ refine flow File += {
oh->Assign(23, process_rvas(${h.rvas}));
BifEvent::generate_pe_optional_header((analyzer::Analyzer *) connection()->bro_analyzer(),
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
oh);
mgr.QueueEventFast(pe_optional_header, {
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
oh
});
}
return true;
%}
@ -183,9 +188,10 @@ refine flow File += {
section_header->Assign(8, val_mgr->GetCount(${h.non_used_num_of_line_nums}));
section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32));
BifEvent::generate_pe_section_header((analyzer::Analyzer *) connection()->bro_analyzer(),
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
section_header);
mgr.QueueEventFast(pe_section_header, {
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
section_header
});
}
return true;
%}

12
src/file_analysis/analyzer/x509/x509-extension.pac
View file

@ -38,15 +38,15 @@ refine connection MockConnection += {
if ( ! x509_ocsp_ext_signed_certificate_timestamp )
return true;
BifEvent::generate_x509_ocsp_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(),
mgr.QueueEventFast(x509_ocsp_ext_signed_certificate_timestamp, {
bro_analyzer()->GetFile()->GetVal()->Ref(),
version,
val_mgr->GetCount(version),
new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
timestamp,
digitally_signed_algorithms->HashAlgorithm(),
digitally_signed_algorithms->SignatureAlgorithm(),
val_mgr->GetCount(timestamp),
val_mgr->GetCount(digitally_signed_algorithms->HashAlgorithm()),
val_mgr->GetCount(digitally_signed_algorithms->SignatureAlgorithm()),
new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
);
});
return true;
%}