Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

QUIC/decrypt_crypto: Limit payload_length to 10k

Browse source 
Given we dynamically allocate memory for decryption, employ a limit
that is unlikely to be hit, but allows for large payloads produced
by the fuzzer or jumbo frames.
This commit is contained in:
Arne Welzel 2024-12-11 12:51:23 +01:00 committed by Tim Wojtulewicz
parent 15511e0fb5
commit f10832d110
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/analyzer/protocol/quic/decrypt_crypto.cc
View file

@ -158,6 +158,11 @@ hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt
throw hilti::rt::RuntimeError(hilti::rt::fmt("payload too small %ld < %ld", payload_length, throw hilti::rt::RuntimeError(hilti::rt::fmt("payload too small %ld < %ld", payload_length,
decryptInfo.packet_number_length + AEAD_TAG_LENGTH)); decryptInfo.packet_number_length + AEAD_TAG_LENGTH));
// Bail on large payloads, somewhat arbitrarily. 10k allows for Jumbo frames
// and sometimes the fuzzer produces packets up to that size as well.
if ( payload_length > 10000 )
throw hilti::rt::RuntimeError(hilti::rt::fmt("payload_length too large %ld", payload_length));
const uint8_t* encrypted_payload = data_as_uint8(all_data) + decryptInfo.unprotected_header.size(); const uint8_t* encrypted_payload = data_as_uint8(all_data) + decryptInfo.unprotected_header.size();
int encrypted_payload_size = payload_length - decryptInfo.packet_number_length - AEAD_TAG_LENGTH; int encrypted_payload_size = payload_length - decryptInfo.packet_number_length - AEAD_TAG_LENGTH;