Merge remote-tracking branch 'security/topic/awelzel/195-ieee802-heap-buffer-overflow'

* security/topic/awelzel/195-ieee802-heap-buffer-overflow: IEEE802_11: Fix buffer-overflow due to not accounting for the amsdu header
2025-10-02 14:48:21 +00:00 · 2023-10-27 11:04:16 -07:00 · 2023-10-27 11:04:16 -07:00 · 7852463b2f
commit 7852463b2f
parent 091c849abe bccf1a9253
3 changed files with 46 additions and 2 deletions
--- a/44
+++ b/44
@ -1,3 +1,47 @@
+6.2.0-dev.74 | 2023-10-27 11:04:16 -0700
+
+  * IEEE802_11: Fix buffer-overflow due to not accounting for the amsdu header (Arne Welzel, Corelight)
+
+    The fuzzer generated input where data length left was 14 and the amsdu_len
+    field set to 14. That caused buffer overread due not taking into account
+    the amsdu header length of 14.
+
+  * ssl: Prevent unbounded ssl_history growth (Arne Welzel, Corelight)
+
+    The ssl_history field may grow unbounded (e.g., ssl_alert event). Prevent this
+    by capping using a configurable limit (default 100) and raise a weird once reached.
+
+  * ssl: Cap number of alerts parsed from SSL record (Arne Welzel, Corelight)
+
+    Limit the number of events raised from an SSL record with content_type
+    alert (21) to a configurable maximum number (default 10). For TLS 1.3,
+    the limit is set to 1 as specified in the RFC. Add a new weird cases
+    where the limit is exceeded.
+
+    OSS-Fuzz managed to generate a reproducer that raised ~660k ssl_plaintext
+    and ssl_alert events given ~810kb of input data. This change prevents this
+    with hopefully no negative side-effect in the real-world.
+
+  * ftp: Do not base seq on number of pending commands (Arne Welzel, Corelight)
+
+    Previously, seq was computed as the result of |pending_commands|+1. This
+    opened the possibility to override queued commands, as well as logging
+    the same pending ftp reply multiple times.
+
+    For example, when commands 1, 2, 3 are pending, command 1 may be dequeued,
+    but the incoming command then receives seq 3 and overrides the already
+    pending command 3. The second scenario happens when ftp_reply() selected
+    command 3 as pending for logging, but is then followed by many ftp_request()
+    events. This resulted in command 3's response being logged for every
+    following ftp_request() over and over again.
+
+    Avoid both scenarios by tracking the command sequence as an absolute counter.
+
+  * X509Common/SCT parsing: Fix memory leak in error case (Arne Welzel, Corelight)
+
+    Failed to free the copy of the OCSP extension's value the inner
+    octet string couldn't be parsed.
+
 6.2.0-dev.64 | 2023-10-27 19:19:55 +0200

  * fuzzers: Add DTLS fuzzer (Arne Welzel, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-6.2.0-dev.64
+6.2.0-dev.74
--- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
+++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
@ -105,7 +105,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*

 			// This is the length of everything after the A-MSDU subframe header.
 			size_t amsdu_len = (data[12] << 8) + data[13];
-			if ( len < amsdu_len )
+			if ( len < amsdu_len + 14 )
 				{
 				Weird("truncated_802_11_amsdu_packet", packet);
 				return false;