From fb2042ca7648cd274670e2d3c5bb8d9ad6afea22 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Thu, 30 Mar 2023 15:47:01 +0200 Subject: [PATCH] Consider cap len when forwarding into packet analysis. When forwarding into packet analysis from TCP or UDP, the protocol's length fields were trusted. This might be dangerous in case of truncated packets. --- src/packet_analysis/Analyzer.h | 6 ++++-- src/packet_analysis/protocol/tcp/TCP.cc | 2 +- src/packet_analysis/protocol/udp/UDP.cc | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index d698022e80..90f83d10fa 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -237,8 +237,9 @@ protected: * Triggers analysis of the encapsulated packet. The encapsulated protocol * is determined using the given identifier. * + * @param len The length of the data left to analyze. + * @param data Pointer to the payload in the raw packet left to analyze. * @param packet The packet to analyze. - * @param data Reference to the payload pointer into the raw packet. * @param identifier The identifier of the encapsulated protocol. * * @return false if the analysis failed, else true. @@ -249,8 +250,9 @@ protected: * Triggers default analysis of the encapsulated packet if the default analyzer * is set. * + * @param len The length of the data left to analyze. + * @param data Pointer to the payload in the raw packet left to analyze. * @param packet The packet to analyze. - * @param data Reference to the payload pointer into the raw packet. * * @return false if the analysis failed, else true. */ diff --git a/src/packet_analysis/protocol/tcp/TCP.cc b/src/packet_analysis/protocol/tcp/TCP.cc index fea5acd6a1..6d6dfc4dbb 100644 --- a/src/packet_analysis/protocol/tcp/TCP.cc +++ b/src/packet_analysis/protocol/tcp/TCP.cc @@ -125,7 +125,7 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai pkt->session = c; // Send the packet back into the packet analysis framework. - ForwardPacket(len, data, pkt); + ForwardPacket(std::min(len, remaining), data, pkt); // Call DeliverPacket on the adapter directly here. Normally we'd call ForwardPacket // but this adapter does some other things in its DeliverPacket with the packet children diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc index a2025a71d4..58f12960a3 100644 --- a/src/packet_analysis/protocol/udp/UDP.cc +++ b/src/packet_analysis/protocol/udp/UDP.cc @@ -223,7 +223,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai // port here because the orig/resp should have already swapped around based on // likely_server_ports. This also prevents us from processing things twice if protocol // detection has to be used. - ForwardPacket(len, data, pkt, ntohs(c->RespPort())); + ForwardPacket(std::min(len, remaining), data, pkt, ntohs(c->RespPort())); // Also try sending it into session analysis. if ( remaining >= len )