diff --git a/base/tcppack.c b/base/tcppack.c index 4304800..ed69546 100644 --- a/base/tcppack.c +++ b/base/tcppack.c @@ -95,11 +95,11 @@ int process_tcp_packet(handler,ctx,p) proper order. This shouldn't be a problem, though, except for simultaneous connects*/ if((p->tcp->th_flags & (TH_SYN|TH_ACK))!=TH_SYN){ - DBG((0,"TCP: rejecting packet from unknown connection\n")); + DBG((0,"TCP: rejecting packet from unknown connection, seq: %u\n",ntohl(p->tcp->th_seq))); return(0); } - DBG((0,"SYN1\n")); + DBG((0,"SYN1 seq: %u",ntohl(p->tcp->th_seq))); if(r=new_connection(handler,ctx,p,&conn)) ABORT(r); conn->i2r.seq=ntohl(p->tcp->th_seq)+1; @@ -117,14 +117,14 @@ int process_tcp_packet(handler,ctx,p) conn->r2i.seq=ntohl(p->tcp->th_seq)+1; conn->r2i.ack=ntohl(p->tcp->th_ack)+1; conn->state=TCP_STATE_SYN2; - DBG((0,"SYN2\n")); + DBG((0,"SYN2 seq: %u",ntohl(p->tcp->th_seq))); break; case TCP_STATE_SYN2: { char *sn=0,*dn=0; if(direction != DIR_I2R) break; - DBG((0,"ACK\n")); + DBG((0,"ACK seq: %u",ntohl(p->tcp->th_seq))); conn->i2r.ack=ntohl(p->tcp->th_ack)+1; lookuphostname(&conn->i_addr,&sn); lookuphostname(&conn->r_addr,&dn); @@ -228,7 +228,8 @@ static int process_data_segment(conn,handler,p,stream,direction) l=p->len - p->tcp->th_off * 4; if(stream->close){ - DBG((0,"Rejecting packet received after FIN")); + DBG((0,"Rejecting packet received after FIN: %u:%u(%u)", + ntohl(p->tcp->th_seq),ntohl(p->tcp->th_seq+l),l)); return(0); } @@ -341,20 +342,26 @@ static int process_data_segment(conn,handler,p,stream,direction) if(conn->state == TCP_STATE_ESTABLISHED) conn->state=TCP_STATE_FIN1; else - conn->state=TCP_STATE_CLOSED; + conn->state=TCP_STATE_CLOSED; } stream->oo_queue=seg->next; seg->next=0; stream->seq=seg->s_seq + seg->len; - if(r=conn->analyzer->vtbl->data(conn->analyzer->obj,&_seg,direction)) + DBG((0,"Analyzing segment: %u:%u(%u)", seg->s_seq, seg->s_seq+seg->len, seg->len)); + if(r=conn->analyzer->vtbl->data(conn->analyzer->obj,&_seg,direction)) { + DBG((0,"ABORT due to segment: %u:%u(%u)", seg->s_seq, seg->s_seq+seg->len, seg->len)); ABORT(r); + } } if(stream->close){ - if(r=conn->analyzer->vtbl->close(conn->analyzer->obj,p,direction)) - ABORT(r); + DBG((0,"Closing with segment: %u:%u(%u)", seg->s_seq, stream->seq, seg->len)); + if(r=conn->analyzer->vtbl->close(conn->analyzer->obj,p,direction)) { + DBG((0,"ABORT due to segment: %u:%u(%u)", seg->s_seq, stream->seq, seg->len)); + ABORT(r); + } } free_tcp_segment_queue(_seg.next); diff --git a/common/lib/r_assoc.c b/common/lib/r_assoc.c index 1328350..dfa1544 100644 --- a/common/lib/r_assoc.c +++ b/common/lib/r_assoc.c @@ -306,7 +306,7 @@ int r_assoc_copy(newp,old) ABORT(R_NO_MEMORY); for(i=0;isize;i++){ if(r=copy_assoc_chain(new->chains+i,old->chains[i])) - ABORT(r); + ABORT(R_NO_MEMORY); } *newp=new; diff --git a/ssl/ssl_analyze.c b/ssl/ssl_analyze.c index 258c801..0b7a80a 100644 --- a/ssl/ssl_analyze.c +++ b/ssl/ssl_analyze.c @@ -359,12 +359,16 @@ static int read_ssl_record(obj,q,seg,offset,lastp,offsetp) case 23: break; default: - printf("Unknown SSL content type %d\n",q->data[0] & 255); - ABORT(R_INTERNAL); + DBG((0,"Unknown SSL content type %d for segment %u:%u(%u)", + q->data[0] & 255,seg->s_seq,seg->s_seq+seg->len,seg->len)); } rec_len=COMBINE(q->data[3],q->data[4]); + /* SSL v3.0 spec says a record may not exceed 2**14 + 2048 == 18432 */ + if(rec_len > 18432) + ABORT(R_INTERNAL); + /*Expand the buffer*/ if(q->_allocated<(rec_len+SSL_HEADER_SIZE)){ if(!(q->data=realloc(q->data,rec_len+5))) diff --git a/ssl/sslprint.c b/ssl/sslprint.c index bf12986..0137208 100644 --- a/ssl/sslprint.c +++ b/ssl/sslprint.c @@ -248,12 +248,12 @@ int ssl_expand_record(ssl,q,direction,data,len) SSL_DECODE_UINT16(ssl,0,0,&d,&length); if(d.len!=length){ - explain(ssl,"Short record\n"); + explain(ssl," Short record: %u bytes available (expecting: %u)\n",length,d.len); return(0); } P_(P_RH){ - explain(ssl,"V%d.%d(%d)",vermaj,vermin,length); + explain(ssl," V%d.%d(%d)",vermaj,vermin,length); } @@ -262,19 +262,22 @@ int ssl_expand_record(ssl,q,direction,data,len) r=ssl_decode_record(ssl,ssl->decoder,direction,ct,version,&d); if(r==SSL_BAD_MAC){ - explain(ssl," bad MAC\n"); + explain(ssl," bad MAC\n"); return(0); } if(r){ - if(r=ssl_print_enum(ssl,0,ContentType_decoder,ct)) + if(r=ssl_print_enum(ssl,0,ContentType_decoder,ct)) { + printf(" unknown record type: %d\n", ct); ERETURN(r); + } printf("\n"); } else{ - if(r=ssl_decode_switch(ssl,ContentType_decoder,data[0],direction,q, - &d)) + if(r=ssl_decode_switch(ssl,ContentType_decoder,data[0],direction,q, &d)) { + printf(" unknown record type: %d\n", ct); ERETURN(r); + } } return(0); @@ -369,7 +372,7 @@ int ssl_lookup_enum(ssl,dtable,val,ptr) dtable++; } - return(-1); + return(R_NOT_FOUND); } int ssl_decode_enum(ssl,name,size,dtable,p,data,x) @@ -416,8 +419,7 @@ int ssl_print_enum(ssl,name,dtable,value) dtable++; } - explain(ssl,"%s","unknown value"); - return(0); + return(R_NOT_FOUND); } int explain(ssl_obj *ssl,char *format,...) @@ -535,7 +537,7 @@ int print_data(ssl,d) printf("\n"); for(i=0;ilen;i++){ - if(!isprint(d->data[i]) && !strchr("\r\n\t",d->data[i])){ + if(d->data[i] == 0 || (!isprint(d->data[i]) && !strchr("\r\n\t",d->data[i]))){ bit8=1; break; } @@ -557,7 +559,8 @@ int print_data(ssl,d) else{ int nl=1; INDENT; - printf("---------------------------------------------------------------\n"); if(SSL_print_flags & SSL_PRINT_NROFF){ + printf("---------------------------------------------------------------\n"); + if(SSL_print_flags & SSL_PRINT_NROFF){ if(ssl->process_ciphertext & ssl->direction) printf("\\f[CI]"); else