tls: set event if input buffer overflows

Set HANDSHAKE_INVALID_LENGTH event if input buffer overflows while
decoding client_hello/server_hello.

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index bdf0fbe2a38666559d5433e3abe6934b6cc9825a..f9e1a1770baa6070310c36f0a25dd5286b260943 100644 (file)
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -63,6 +63,7 @@ SCEnumCharMap tls_decoder_event_table[ ] = {
     { "INVALID_HEARTBEAT_MESSAGE",   TLS_DECODER_EVENT_INVALID_HEARTBEAT },
     { "OVERFLOW_HEARTBEAT_MESSAGE",  TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT },
     { "DATALEAK_HEARTBEAT_MISMATCH", TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH },
+    { "HANDSHAKE_INVALID_LENGTH",    TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH },
     { "MULTIPLE_SNI_EXTENSIONS",     TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS },
     { "INVALID_SNI_TYPE",            TLS_DECODER_EVENT_INVALID_SNI_TYPE },
     { "INVALID_SNI_LENGTH",          TLS_DECODER_EVENT_INVALID_SNI_LENGTH },
@@ -247,7 +248,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
     input += SSLV3_CLIENT_HELLO_RANDOM_LEN;
 
     if (!(HAS_SPACE(1)))
-        goto end;
+        goto invalid_length;
 
     /* skip session id */
     uint8_t session_id_length = *(input++);
@@ -255,7 +256,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
     input += session_id_length;
 
     if (!(HAS_SPACE(2)))
-        goto end;
+        goto invalid_length;
 
     /* skip cipher suites */
     uint16_t cipher_suites_length = input[0] << 8 | input[1];
@@ -264,7 +265,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
     input += cipher_suites_length;
 
     if (!(HAS_SPACE(1)))
-        goto end;
+        goto invalid_length;
 
     /* skip compression methods */
     uint8_t compression_methods_length = *(input++);
@@ -272,7 +273,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
     input += compression_methods_length;
 
     if (!(HAS_SPACE(2)))
-        goto end;
+        goto invalid_length;
 
     uint16_t extensions_len = input[0] << 8 | input[1];
     input += 2;
@@ -281,13 +282,13 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
     while (processed_len < extensions_len)
     {
         if (!(HAS_SPACE(2)))
-            goto end;
+            goto invalid_length;
 
         uint16_t ext_type = input[0] << 8 | input[1];
         input += 2;
 
         if (!(HAS_SPACE(2)))
-            goto end;
+            goto invalid_length;
 
         uint16_t ext_len = input[0] << 8 | input[1];
         input += 2;
@@ -308,7 +309,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
                 input += 2;
 
                 if (!(HAS_SPACE(1)))
-                    goto end;
+                    goto invalid_length;
 
                 uint8_t sni_type = *(input++);
 
@@ -322,13 +323,13 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
                 }
 
                 if (!(HAS_SPACE(2)))
-                    goto end;
+                    goto invalid_length;
 
                 uint16_t sni_len = input[0] << 8 | input[1];
                 input += 2;
 
                 if (!(HAS_SPACE(sni_len)))
-                    goto end;
+                    goto invalid_length;
 
                 /* host_name contains the fully qualified domain name,
                    and should therefore be limited by the maximum domain
@@ -363,6 +364,12 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
 
 end:
     return 0;
+
+invalid_length:
+    SCLogDebug("TLS handshake invalid length");
+    SSLSetEvent(ssl_state,
+            TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH);
+    return 0;
 }
 
 static int SSLv3ParseHandshakeType(SSLState *ssl_state, uint8_t *input,

diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h
index 30fa476c4abaa2c9f6a4656c265ff4aebcc7e5f2..3253ce46d56ebd1d3f4efa7b0ee2942312f2a2a5 100644 (file)
--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@@ -42,6 +42,7 @@ enum {
     TLS_DECODER_EVENT_INVALID_HEARTBEAT,
     TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT,
     TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH,
+    TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH,
     TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS,
     TLS_DECODER_EVENT_INVALID_SNI_TYPE,
     TLS_DECODER_EVENT_INVALID_SNI_LENGTH,