Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Factor in caplens in ICMPAnalyzer::DeliverPacket length calculations

Browse source 
Relying only on the IP-header-provided length could violate buffer boundaries in
the endpoints' rule matching. This change mirrors what we do in UDP and TCP.

Resolves #3671
This commit is contained in:
Christian Kreibich 2024-04-25 16:16:15 -07:00
parent c7a21c18c8
commit 581971e160
1 changed files with 6 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/packet_analysis/protocol/icmp/ICMP.cc
View file

@ -92,11 +92,14 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
c->SetLastTime(run_state::current_timestamp);
adapter->InitEndpointMatcher(ip.get(), len, is_orig);
// Move past common portion of ICMP header.
// Move past common portion of ICMP header. BuildConnTuple() verified that
// the header is fully present.
data += 8;
remaining -= 8;
len -= 8;
// The ICMP session adapter only uses len to signal endpoint activity, so
// caplen vs len does not matter.
adapter->UpdateLength(is_orig, len);
if ( ip->NextProto() == IPPROTO_ICMP )
@ -112,12 +115,12 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
// handling those properly.
pkt->session = c;
ForwardPacket(len, data, pkt);
ForwardPacket(std::min(len, remaining), data, pkt);
if ( remaining >= len )
adapter->ForwardPacket(len, data, is_orig, -1, ip.get(), remaining);
adapter->MatchEndpoint(data, len, is_orig);
adapter->MatchEndpoint(data, std::min(len, remaining), is_orig);
}
void ICMPAnalyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data,