Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch

Browse source 
* Fix potential NetbiosSSN analyzer stack overflow
This commit is contained in:
Jon Siwek 2020-07-27 11:36:53 -07:00
commit 5c6ebb443e
4 changed files with 32 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

21
CHANGES
View file

@ -1,4 +1,25 @@
3.2.0-dev.992 | 2020-07-27 11:36:53 -0700
* Fix potential NetbiosSSN analyzer stack overflow (Jon Siwek, Corelight)
The Contents_NetbiosSSN analyzer used a recursive message parsing
function that determined the size of the next message from the input
packet-data itself. A packet containing a sequence of many small
messages could cause a stack overflow since a recursion happened after
processing each message.
* Fix potential DNS analyzer stack overflow (Jon Siwek, Corelight)
The Contents_DNS analyzer used a recursive message parsing function that
determined the size of the next message from the input packet-data
itself. A packet containing a sequence of many small messages could
cause a stack overflow since a recursion happened after processing
each message.
Credit to OSS-Fuzz for discovery
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24272
3.2.0-dev.988 | 2020-07-27 11:19:20 -0700 3.2.0-dev.988 | 2020-07-27 11:19:20 -0700
* Update submodules to release versions in prep for release/3.2 branch (Jon Siwek, Corelight) * Update submodules to release versions in prep for release/3.2 branch (Jon Siwek, Corelight)

2
VERSION
View file

@ -1 +1 @@
3.2.0-dev.988 3.2.0-dev.992

13
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -358,6 +358,12 @@ void Contents_NetbiosSSN::Flush()
} }
void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
{
while ( len > 0 )
ProcessChunk(len, data, orig);
}
void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
{ {
tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
@ -434,6 +440,9 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
for ( n = 0; buf_n < msg_size && n < len; ++n ) for ( n = 0; buf_n < msg_size && n < len; ++n )
msg_buf[buf_n++] = data[n]; msg_buf[buf_n++] = data[n];
data += n;
len -= n;
if ( buf_n < msg_size ) if ( buf_n < msg_size )
// Haven't filled up the message buffer yet, no more to do. // Haven't filled up the message buffer yet, no more to do.
return; return;
@ -442,10 +451,6 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
buf_n = 0; buf_n = 0;
state = NETBIOS_SSN_TYPE; state = NETBIOS_SSN_TYPE;
if ( n < len )
// More data to munch on.
DeliverStream(len - n, data + n, orig);
} }
NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn) NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn)

1
src/analyzer/protocol/netbios/NetbiosSSN.h
View file

@ -124,6 +124,7 @@ public:
protected: protected:
void DeliverStream(int len, const u_char* data, bool orig) override; void DeliverStream(int len, const u_char* data, bool orig) override;
void ProcessChunk(int& len, const u_char*& data, bool orig);
NetbiosSSN_Interpreter* interp; NetbiosSSN_Interpreter* interp;