source/erf: validate record length before read

Check the ERF record length before attempting to read it as
a record length less than the size of the record header
is invalid.

Redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3593

diff --git a/src/source-erf-file.c b/src/source-erf-file.c
index 1de5bb5f7ff008c8059769ccc8bcf000266d4396..853a45a152def938332ec4f89fee246b6e7a8f30 100644 (file)
--- a/src/source-erf-file.c
+++ b/src/source-erf-file.c
@@ -165,8 +165,13 @@ static inline TmEcode ReadErfRecord(ThreadVars *tv, Packet *p, void *data)
         }
         SCReturnInt(TM_ECODE_FAILED);
     }
-    int rlen = SCNtohs(dr.rlen);
-    int wlen = SCNtohs(dr.wlen);
+    uint16_t rlen = SCNtohs(dr.rlen);
+    uint16_t wlen = SCNtohs(dr.wlen);
+    if (rlen < sizeof(DagRecord)) {
+        SCLogError(SC_ERR_ERF_BAD_RLEN, "Bad ERF record, "
+            "record length less than size of header");
+        SCReturnInt(TM_ECODE_FAILED);
+    }
     r = fread(GET_PKT_DATA(p), rlen - sizeof(DagRecord), 1, etv->erf);
     if (r < 1) {
         if (feof(etv->erf)) {

diff --git a/src/util-error.c b/src/util-error.c
index 81f64cfef4099a17c8ad361dd0207679bbd88673..e9a398da26d2e4e6ab9fde9b07f0fd9dbdce8232 100644 (file)
--- a/src/util-error.c
+++ b/src/util-error.c
@@ -368,6 +368,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_WARN_ANOMALY_CONFIG);
         CASE_CODE (SC_WARN_ALERT_CONFIG);
         CASE_CODE (SC_WARN_REGISTRATION_FAILED);
+        CASE_CODE (SC_ERR_ERF_BAD_RLEN);
 
         CASE_CODE (SC_ERR_MAX);
     }

diff --git a/src/util-error.h b/src/util-error.h
index 67bb9daa9fbb5ca3639b49d94d0b3372a960e680..28683bafa413b2edfbeed383a7f9512a32af5b5e 100644 (file)
--- a/src/util-error.h
+++ b/src/util-error.h
@@ -358,6 +358,7 @@ typedef enum {
     SC_ERR_PCRE_COPY_SUBSTRING,
     SC_WARN_PCRE_JITSTACK,
     SC_WARN_REGISTRATION_FAILED,
+    SC_ERR_ERF_BAD_RLEN,
 
     SC_ERR_MAX
 } SCError;