From b9f63173bc3cd6261bf655a0f846fa7a9307f789 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 12 Aug 2022 15:01:37 -0700 Subject: [PATCH] Check for valid ip_hdr length before trying to make a Val out of it --- CHANGES | 12 ++++++++++++ VERSION | 2 +- src/iosource/Packet.cc | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 0acccdc854..c4b9180754 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,15 @@ +5.1.0-dev.466 | 2022-08-26 11:00:06 -0700 + + * Check for valid ip_hdr length before trying to make a Val out of it (Tim Wojtulewicz, Corelight) + + * Fix potential overflow in modbus analyzer's bytestring_to_coils (Tim Wojtulewicz, Corelight) + + * Add some sanity checking to BadARPEvent method (Tim Wojtulewicz, Corelight) + + * Swap DNS EDNS field order to match script-land type (Tim Wojtulewicz, Corelight) + + * Reset packet cap_len before returning from IP::AnalyzePacket (Tim Wojtulewicz, Corelight) + 5.1.0-dev.461 | 2022-08-26 09:09:23 -0700 * Revert to regular peering fn for ssl_auth_failure (Dominik Charousset, Corelight) diff --git a/VERSION b/VERSION index f21caf33fa..bac9b6f4f4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -5.1.0-dev.461 +5.1.0-dev.466 diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 61108381b8..e9edcab241 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -142,7 +142,7 @@ RecordValPtr Packet::ToRawPktHdrVal() const pkt_hdr->Assign(0, std::move(l2_hdr)); - if ( l3_proto == L3_IPV4 || l3_proto == L3_IPV6 ) + if ( ip_hdr && cap_len >= ip_hdr->TotalLen() && (l3_proto == L3_IPV4 || l3_proto == L3_IPV6) ) // Packet analysis will have stored the IP header in the packet, so we can use // that to build the output. return ip_hdr->ToPktHdrVal(std::move(pkt_hdr), 1);