Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 17:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Reassem: Reject blocks overflowing 64bit upper

Browse source 
The reassembler logic isn't wrap around safe, so just truncate or
reject such blocks. For files specifically, a byte offset in the
2**64 bytes represents 16EiB which is the maximum size supported
by BTRFS or NTFS (and probably nothing we'd ever see in practice).
This commit is contained in:
Arne Welzel 2023-03-27 12:50:52 +02:00
parent 9f8eb682b1
commit ea80f21e1d
3 changed files with 71 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/Reassem.cc
View file

@ -5,8 +5,10 @@
#include "zeek/zeek-config.h"
#include <algorithm>
#include <limits>
#include "zeek/Desc.h"
#include "zeek/Reporter.h"
using std::min;
@ -322,6 +324,17 @@ void Reassembler::CheckOverlap(const DataBlockList& list, uint64_t seq, uint64_t
void Reassembler::NewBlock(double t, uint64_t seq, uint64_t len, const u_char* data)
{
// Check for overflows - this should be handled by the caller
// and possibly reported as a weird or violation if applicable.
if ( std::numeric_limits<uint64_t>::max() - seq < len )
{
zeek::reporter->InternalWarning("Reassembler::NewBlock() truncating block at seq %" PRIx64
" from length %" PRIu64 " to %" PRIu64,
seq, len, std::numeric_limits<uint64_t>::max() - seq);
len = std::numeric_limits<uint64_t>::max() - seq;
}
if ( len == 0 )
return;