Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-15 21:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix potential NetbiosSSN analyzer stack overflow

Browse source 
The Contents_NetbiosSSN analyzer used a recursive message parsing
function that determined the size of the next message from the input
packet-data itself.  A packet containing a sequence of many small
messages could cause a stack overflow since a recursion happened after
processing each message.
This commit is contained in:
Jon Siwek 2020-07-20 13:36:37 -07:00
parent 8e70ff653f
commit abba6fd3d0
2 changed files with 10 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -358,6 +358,12 @@ void Contents_NetbiosSSN::Flush()
}
void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
{
while ( len > 0 )
ProcessChunk(len, data, orig);
}
void Contents_NetbiosSSN::ProcessChunk(int& len, const u_char*& data, bool orig)
{
tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
@ -434,6 +440,9 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
for ( n = 0; buf_n < msg_size && n < len; ++n )
msg_buf[buf_n++] = data[n];
data += n;
len -= n;
if ( buf_n < msg_size )
// Haven't filled up the message buffer yet, no more to do.
return;
@ -442,10 +451,6 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
buf_n = 0;
state = NETBIOS_SSN_TYPE;
if ( n < len )
// More data to munch on.
DeliverStream(len - n, data + n, orig);
}
NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn)

1
src/analyzer/protocol/netbios/NetbiosSSN.h
View file

@ -124,6 +124,7 @@ public:
protected:
void DeliverStream(int len, const u_char* data, bool orig) override;
void ProcessChunk(int& len, const u_char*& data, bool orig);
NetbiosSSN_Interpreter* interp;