Add better length check to BuildOptionsVal()

2025-10-13 12:08:20 +00:00 · 2022-09-09 11:08:56 -07:00 · 2022-09-09 11:08:56 -07:00 · 95e758e012
commit 95e758e012
parent 4c00c3c4ca
3 changed files with 21 additions and 2 deletions
--- a/19
+++ b/19
@ -1,3 +1,22 @@
+5.1.0-dev.511 | 2022-09-19 12:41:31 -0700
+
+  * Add better length check to BuildOptionsVal() (Tim Wojtulewicz, Corelight)
+
+  * smb: Unify transaction_data_to_val() usage (Arne Welzel, Corelight)
+
+    the data/string handling in smb1-com-transaction.pcac was improved
+    with c75519ca8869448efc488598090f96d63352312f, re-use the added
+    functionality also for smb1-com-transaction-secondary.pac to avoid
+    buffer overflows.
+
+  * Add some additional checks for caplen in ICMP analyzer (Tim Wojtulewicz, Corelight)
+
+  * irc: Check parts.size() before removing the nick (Arne Welzel, Corelight)
+
+    ...also, don't remove the nick twice.
+
+  * Check IP payload length before casting to transport structure (Tim Wojtulewicz, Corelight)
+
 5.1.0-dev.506 | 2022-09-15 11:11:57 -0400

  * Use NextStream instead of ForwardStream in fuzzers (Tim Wojtulewicz, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-5.1.0-dev.506
+5.1.0-dev.511
--- a/src/IP.cc
+++ b/src/IP.cc
@ -20,7 +20,7 @@ static VectorValPtr BuildOptionsVal(const u_char* data, int len)
 	{
 	auto vv = make_intrusive<VectorVal>(id::find_type<VectorType>("ip6_options"));

-	while ( len > 0 )
+	while ( static_cast<size_t>(len) >= sizeof(struct ip6_opt) )
 		{
 		static auto ip6_option_type = id::find_type<RecordType>("ip6_option");
 		const struct ip6_opt* opt = (const struct ip6_opt*)data;