From abba6fd3d039a8c802cd1e7aa32a5617434d956f Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 20 Jul 2020 13:36:37 -0700 Subject: [PATCH] Fix potential NetbiosSSN analyzer stack overflow The Contents_NetbiosSSN analyzer used a recursive message parsing function that determined the size of the next message from the input packet-data itself. A packet containing a sequence of many small messages could cause a stack overflow since a recursion happened after processing each message. --- src/analyzer/protocol/netbios/NetbiosSSN.cc | 13 +++++++++---- src/analyzer/protocol/netbios/NetbiosSSN.h | 1 + 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc index 08d4fdc8a2..3f2360ed09 100644 --- a/src/analyzer/protocol/netbios/NetbiosSSN.cc +++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc @@ -358,6 +358,12 @@ void Contents_NetbiosSSN::Flush() } void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) + { + while ( len > 0 ) + ProcessChunk(len, data, orig); + } + +void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig) { tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); @@ -434,6 +440,9 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) for ( n = 0; buf_n < msg_size && n < len; ++n ) msg_buf[buf_n++] = data[n]; + data += n; + len -= n; + if ( buf_n < msg_size ) // Haven't filled up the message buffer yet, no more to do. return; @@ -442,10 +451,6 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) buf_n = 0; state = NETBIOS_SSN_TYPE; - - if ( n < len ) - // More data to munch on. - DeliverStream(len - n, data + n, orig); } NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn) diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.h b/src/analyzer/protocol/netbios/NetbiosSSN.h index e775abf839..27d1be4ba9 100644 --- a/src/analyzer/protocol/netbios/NetbiosSSN.h +++ b/src/analyzer/protocol/netbios/NetbiosSSN.h @@ -124,6 +124,7 @@ public: protected: void DeliverStream(int len, const u_char* data, bool orig) override; + void ProcessChunk(int& len, const u_char*& data, bool orig); NetbiosSSN_Interpreter* interp;