adulau/ssldump
1
0
Fork 0
mirror of https://github.com/adulau/ssldump.git synced 2024-09-18 08:46:25 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #33 from wllm-rbnt/oob-reads

Browse source 
Fix multiple segfaults on out-of-bounds read access
This commit is contained in:
Alexandre Dulaunoy 2020-09-03 23:12:17 +02:00 committed by GitHub
commit 28622f065c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
base/network.c
View file

@ -134,6 +134,12 @@ int network_process_packet(handler,timestamp,data,length)
hlen=p.ip->ip_hl * 4; hlen=p.ip->ip_hl * 4;
p.data += hlen; p.data += hlen;
p.len = ntohs(p.ip->ip_len); p.len = ntohs(p.ip->ip_len);
if(p.len > length) {
printf("Malformed packet, size from IP header is larger than size reported by libpcap, skipping ...\n");
return(0);
}
if (p.len == 0) { if (p.len == 0) {
DBG((0,"ip length reported as 0, presumed to be because of 'TCP segmentation offload' (TSO)\n")); DBG((0,"ip length reported as 0, presumed to be because of 'TCP segmentation offload' (TSO)\n"));
p.len = p._len; p.len = p._len;

5
base/tcppack.c
View file

@ -243,6 +243,11 @@ static int process_data_segment(conn,handler,p,stream,direction)
l=p->len - p->tcp->th_off * 4; l=p->len - p->tcp->th_off * 4;
if(l < 0) {
printf("Malformed packet, computed TCP segment size is negative, skipping ...\n");
return(0);
}
if(stream->close){ if(stream->close){
DBG((0,"Rejecting packet received after FIN: %u:%u(%u)", DBG((0,"Rejecting packet received after FIN: %u:%u(%u)",
ntohl(p->tcp->th_seq),ntohl(p->tcp->th_seq+l),l)); ntohl(p->tcp->th_seq),ntohl(p->tcp->th_seq+l),l));

6
ssl/ssl.enums.c
View file

@ -240,7 +240,7 @@ static int decode_HandshakeType_ClientHello(ssl,dir,seg,data)
if (ssl_decode_switch(ssl,extension_decoder,ex,dir,seg,data) == R_NOT_FOUND) { if (ssl_decode_switch(ssl,extension_decoder,ex,dir,seg,data) == R_NOT_FOUND) {
decode_extension(ssl,dir,seg,data); decode_extension(ssl,dir,seg,data);
P_(P_RH){ P_(P_RH){
explain(ssl, "Extension type: %s not yet implemented in ssldump", ex); explain(ssl, "Extension type: %u not yet implemented in ssldump\n", ex);
} }
continue; continue;
} }
@ -300,7 +300,7 @@ static int decode_HandshakeType_ServerHello(ssl,dir,seg,data)
if (ssl_decode_switch(ssl,extension_decoder,ex,dir,seg,data) == R_NOT_FOUND) { if (ssl_decode_switch(ssl,extension_decoder,ex,dir,seg,data) == R_NOT_FOUND) {
decode_extension(ssl,dir,seg,data); decode_extension(ssl,dir,seg,data);
P_(P_RH){ P_(P_RH){
explain(ssl, "Extension type: %s not yet implemented in ssldump", ex); explain(ssl, "Extension type: %u not yet implemented in ssldump,\n", ex);
} }
continue; continue;
} }
@ -2538,7 +2538,7 @@ static int decode_extension_server_name(ssl,dir,seg,data)
if (ssl_decode_switch(ssl,server_name_type_decoder,t,dir,seg,data) == R_NOT_FOUND) { if (ssl_decode_switch(ssl,server_name_type_decoder,t,dir,seg,data) == R_NOT_FOUND) {
decode_server_name(ssl,dir,seg,data); decode_server_name(ssl,dir,seg,data);
P_(P_RH){ P_(P_RH){
explain(ssl, "Server Name type: %s not yet implemented in ssldump", t); explain(ssl, "Server Name type: %u not yet implemented in ssldump\n", t);
} }
continue; continue;
} }