tls: set event if record size exceeds limit

author Victor Julien <vjulien@oisf.net>

Mon, 8 Aug 2022 10:02:22 +0000 (12:02 +0200)

committer Victor Julien <vjulien@oisf.net>

Wed, 21 Sep 2022 04:43:48 +0000 (06:43 +0200)
author Victor Julien <vjulien@oisf.net>
Mon, 8 Aug 2022 10:02:22 +0000 (12:02 +0200)
committer Victor Julien <vjulien@oisf.net>
Wed, 21 Sep 2022 04:43:48 +0000 (06:43 +0200)
diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c

index bed6f5050cec99b0dd4f15b77586ee72e416fe23..8d98334f55cd8f70347565854c48da145c3324a6 100644 (file)
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -87,39 +87,41 @@ SCEnumCharMap tls_frame_table[] = {
      { NULL, -1 },
  };
  
-SCEnumCharMap tls_decoder_event_table[ ] = {
+SCEnumCharMap tls_decoder_event_table[] = {
      /* TLS protocol messages */
-    { "INVALID_SSLV2_HEADER",        TLS_DECODER_EVENT_INVALID_SSLV2_HEADER },
-    { "INVALID_TLS_HEADER",          TLS_DECODER_EVENT_INVALID_TLS_HEADER },
-    { "INVALID_RECORD_VERSION",      TLS_DECODER_EVENT_INVALID_RECORD_VERSION },
-    { "INVALID_RECORD_TYPE",         TLS_DECODER_EVENT_INVALID_RECORD_TYPE },
-    { "INVALID_HANDSHAKE_MESSAGE",   TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE },
-    { "HEARTBEAT_MESSAGE",           TLS_DECODER_EVENT_HEARTBEAT },
-    { "INVALID_HEARTBEAT_MESSAGE",   TLS_DECODER_EVENT_INVALID_HEARTBEAT },
-    { "OVERFLOW_HEARTBEAT_MESSAGE",  TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT },
+    { "INVALID_SSLV2_HEADER", TLS_DECODER_EVENT_INVALID_SSLV2_HEADER },
+    { "INVALID_TLS_HEADER", TLS_DECODER_EVENT_INVALID_TLS_HEADER },
+    { "INVALID_RECORD_VERSION", TLS_DECODER_EVENT_INVALID_RECORD_VERSION },
+    { "INVALID_RECORD_TYPE", TLS_DECODER_EVENT_INVALID_RECORD_TYPE },
+    { "INVALID_RECORD_LENGTH", TLS_DECODER_EVENT_INVALID_RECORD_LENGTH },
+    { "INVALID_HANDSHAKE_MESSAGE", TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE },
+    { "HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_HEARTBEAT },
+    { "INVALID_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_INVALID_HEARTBEAT },
+    { "OVERFLOW_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT },
      { "DATALEAK_HEARTBEAT_MISMATCH", TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH },
-    { "HANDSHAKE_INVALID_LENGTH",    TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH },
-    { "MULTIPLE_SNI_EXTENSIONS",     TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS },
-    { "INVALID_SNI_TYPE",            TLS_DECODER_EVENT_INVALID_SNI_TYPE },
-    { "INVALID_SNI_LENGTH",          TLS_DECODER_EVENT_INVALID_SNI_LENGTH },
-    { "TOO_MANY_RECORDS_IN_PACKET",  TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET },
+    { "HANDSHAKE_INVALID_LENGTH", TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH },
+    { "MULTIPLE_SNI_EXTENSIONS", TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS },
+    { "INVALID_SNI_TYPE", TLS_DECODER_EVENT_INVALID_SNI_TYPE },
+    { "INVALID_SNI_LENGTH", TLS_DECODER_EVENT_INVALID_SNI_LENGTH },
+    { "TOO_MANY_RECORDS_IN_PACKET", TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET },
      /* certificate decoding messages */
-    { "INVALID_CERTIFICATE",         TLS_DECODER_EVENT_INVALID_CERTIFICATE },
-    { "CERTIFICATE_INVALID_LENGTH",  TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH },
+    { "INVALID_CERTIFICATE", TLS_DECODER_EVENT_INVALID_CERTIFICATE },
+    { "CERTIFICATE_INVALID_LENGTH", TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH },
      { "CERTIFICATE_INVALID_VERSION", TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION },
-    { "CERTIFICATE_INVALID_SERIAL",  TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL },
-    { "CERTIFICATE_INVALID_ALGORITHMIDENTIFIER",  TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER },
+    { "CERTIFICATE_INVALID_SERIAL", TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL },
+    { "CERTIFICATE_INVALID_ALGORITHMIDENTIFIER",
+            TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER },
      { "CERTIFICATE_INVALID_X509NAME", TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME },
-    { "CERTIFICATE_INVALID_DATE",    TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE },
+    { "CERTIFICATE_INVALID_DATE", TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE },
      { "CERTIFICATE_INVALID_EXTENSIONS", TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS },
-    { "CERTIFICATE_INVALID_DER",     TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER },
+    { "CERTIFICATE_INVALID_DER", TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER },
      { "CERTIFICATE_INVALID_SUBJECT", TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT },
-    { "CERTIFICATE_INVALID_ISSUER",  TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER },
+    { "CERTIFICATE_INVALID_ISSUER", TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER },
      { "CERTIFICATE_INVALID_VALIDITY", TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY },
-    { "ERROR_MESSAGE_ENCOUNTERED",   TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED },
+    { "ERROR_MESSAGE_ENCOUNTERED", TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED },
      /* used as a generic error event */
-    { "INVALID_SSL_RECORD",          TLS_DECODER_EVENT_INVALID_SSL_RECORD },
-    { NULL,                          -1 },
+    { "INVALID_SSL_RECORD", TLS_DECODER_EVENT_INVALID_SSL_RECORD },
+    { NULL, -1 },
  };
  
  enum {
@@ -195,6 +197,7 @@ SslConfig ssl_config;
  
  #define SSLV3_RECORD_HDR_LEN            5
  #define SSLV3_MESSAGE_HDR_LEN           4
+#define SSLV3_RECORD_MAX_LEN            1 << 14
  
  #define SSLV3_CLIENT_HELLO_VERSION_LEN  2
  #define SSLV3_CLIENT_HELLO_RANDOM_LEN  32
@@ -2195,6 +2198,12 @@ static struct SSLDecoderResult SSLv3Decode(uint8_t direction, SSLState *ssl_stat
          record_len = MIN(input_len - parsed, ssl_state->curr_connp->record_length);
          SCLogDebug("record_len %u (input_len %u, parsed %u, ssl_state->curr_connp->record_length %u)",
                  record_len, input_len, parsed, ssl_state->curr_connp->record_length);
+
+        /* records are not supposed to exceed 16384, but the length field is 16 bits. */
+        if (ssl_state->curr_connp->bytes_processed == SSLV3_RECORD_HDR_LEN &&
+                ssl_state->curr_connp->record_length > SSLV3_RECORD_MAX_LEN) {
+            SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_RECORD_LENGTH);
+        }
      } else {
          ValidateRecordState(ssl_state->curr_connp);
  
diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h

index 70ecc24aed4809d50badeede7527c486ddd1ca1a..7ec2b9cb18e0d7b21ea5be66cb929286bd55d13e 100644 (file)
--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@@ -45,6 +45,7 @@ enum {
      TLS_DECODER_EVENT_INVALID_TLS_HEADER,
      TLS_DECODER_EVENT_INVALID_RECORD_VERSION,
      TLS_DECODER_EVENT_INVALID_RECORD_TYPE,
+    TLS_DECODER_EVENT_INVALID_RECORD_LENGTH,
      TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE,
      TLS_DECODER_EVENT_HEARTBEAT,
      TLS_DECODER_EVENT_INVALID_HEARTBEAT,
author	Victor Julien <vjulien@oisf.net>
	Mon, 8 Aug 2022 10:02:22 +0000 (12:02 +0200)
committer	Victor Julien <vjulien@oisf.net>
	Wed, 21 Sep 2022 04:43:48 +0000 (06:43 +0200)
src/app-layer-ssl.c		patch \| blob \| blame \| history
src/app-layer-ssl.h		patch \| blob \| blame \| history