Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix possible buffer over-read in DNS TSIG parsing

Browse source
This commit is contained in:
Jon Siwek 2014-09-02 14:22:26 -05:00
parent 73cc81f44a
commit dde0ce234f
5 changed files with 30 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

28
src/analyzer/protocol/dns/DNS.cc
View file

@ -701,6 +701,19 @@ int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
return 1; return 1;
} }
void DNS_Interpreter::ExtractOctets(const u_char*& data, int& len,
BroString** p)
{
uint16 dlen = ExtractShort(data, len);
dlen = min(len, static_cast<int>(dlen));
if ( p )
*p = new BroString(data, dlen, 0);
data += dlen;
len -= dlen;
}
int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg, int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength, const u_char*& data, int& len, int rdlength,
const u_char* msg_start) const u_char* msg_start)
@ -718,24 +731,17 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
uint32 sign_time_sec = ExtractLong(data, len); uint32 sign_time_sec = ExtractLong(data, len);
unsigned int sign_time_msec = ExtractShort(data, len); unsigned int sign_time_msec = ExtractShort(data, len);
unsigned int fudge = ExtractShort(data, len); unsigned int fudge = ExtractShort(data, len);
BroString* request_MAC;
u_char request_MAC[16]; ExtractOctets(data, len, &request_MAC);
memcpy(request_MAC, data, sizeof(request_MAC));
// Here we adjust the size of the requested MAC + u_int16_t
// for length. See RFC 2845, sec 2.3.
int n = sizeof(request_MAC) + sizeof(u_int16_t);
data += n;
len -= n;
unsigned int orig_id = ExtractShort(data, len); unsigned int orig_id = ExtractShort(data, len);
unsigned int rr_error = ExtractShort(data, len); unsigned int rr_error = ExtractShort(data, len);
ExtractOctets(data, len, 0); // Other Data
msg->tsig = new TSIG_DATA; msg->tsig = new TSIG_DATA;
msg->tsig->alg_name = msg->tsig->alg_name =
new BroString(alg_name, alg_name_end - alg_name, 1); new BroString(alg_name, alg_name_end - alg_name, 1);
msg->tsig->sig = new BroString(request_MAC, sizeof(request_MAC), 1); msg->tsig->sig = request_MAC;
msg->tsig->time_s = sign_time_sec; msg->tsig->time_s = sign_time_sec;
msg->tsig->time_ms = sign_time_msec; msg->tsig->time_ms = sign_time_msec;
msg->tsig->fudge = fudge; msg->tsig->fudge = fudge;

1
src/analyzer/protocol/dns/DNS.h
View file

@ -180,6 +180,7 @@ protected:
uint16 ExtractShort(const u_char*& data, int& len); uint16 ExtractShort(const u_char*& data, int& len);
uint32 ExtractLong(const u_char*& data, int& len); uint32 ExtractLong(const u_char*& data, int& len);
void ExtractOctets(const u_char*& data, int& len, BroString** p);
int ParseRR_Name(DNS_MsgInfo* msg, int ParseRR_Name(DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength, const u_char*& data, int& len, int rdlength,

2
testing/btest/Baseline/scripts.base.protocols.dns.tsig/out Normal file
View file

@ -0,0 +1,2 @@
[query=secret-key, qtype=3, alg_name=hmac-md5.sig-alg.reg.int, sig=F\xbd\xbf1\xef^B6\xb8\xeb\xae1u,\x87\xdb^?, time_signed=21513.794, fudge=300.0, orig_id=9703, rr_error=0, is_query=1]
16

BIN
testing/btest/Traces/dns-tsig.trace Normal file
View file

Binary file not shown.

10
testing/btest/scripts/base/protocols/dns/tsig.bro Normal file
View file

@ -0,0 +1,10 @@
# @TEST-EXEC: bro -r $TRACES/dns-tsig.trace %INPUT >out
# @TEST-EXEC: btest-diff out
redef dns_skip_all_addl = F;
event dns_TSIG_addl(c: connection, msg: dns_msg, ans: dns_tsig_additional)
{
print ans;
print |ans$sig|;
}