From: Mike Stepanek (mstepane) Date: Tue, 11 Jan 2022 23:22:47 +0000 (+0000) Subject: Pull request #3228: stream_tcp: fix PDU buffer overflow on fallback X-Git-Tag: 3.1.20.0~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a6b9ac4491b76261e4896eb2b2c59160eb02985;p=thirdparty%2Fsnort3.git Pull request #3228: stream_tcp: fix PDU buffer overflow on fallback Merge in SNORT/snort3 from ~VHORBATO/snort3:def_reassm_overflow to master Squashed commit of the following: commit 97a97f3dc033732bb92b802a10bb20f71623c82c Author: russ Date: Sun Dec 19 10:41:02 2021 -0500 stream_tcp: limit reassembly size for AtomSplitter Thanks to barosch78 and DAKOIT for their help in the process of finding the root cause. --- diff --git a/src/stream/stream_splitter.cc b/src/stream/stream_splitter.cc index 721c66f98..df07b1c7d 100644 --- a/src/stream/stream_splitter.cc +++ b/src/stream/stream_splitter.cc @@ -44,15 +44,27 @@ const StreamBuffer StreamSplitter::reassemble( Flow*, unsigned, unsigned offset, const uint8_t* p, unsigned n, uint32_t flags, unsigned& copied) { - copied = n; if (n == 0) return { nullptr, 0 }; unsigned max; uint8_t* pdu_buf = DetectionEngine::get_next_buffer(max); + max = max > Packet::max_dsize ? Packet::max_dsize : max; + + n = std::min(n, max - offset); + /* + FIXIT: + - Extra bytes will be lost and will pass without inspection + - There is some inconsistency between IpsContext::buf_size (Codec::PKT_MAX) + and Packet::max_dsize(IP_MAXPACKET) + - reassemble returns data length(StreamBuffer::length) of 32-bit type, while some + callers use 16-bit type for the length + - How it correlates with stream_tcp.max_pdu which has {1460:32768} range, + should it be adjusted with --snaplen {68:65535}? + */ - assert(offset + n < max); memcpy(pdu_buf+offset, p, n); + copied = n; if ( flags & PKT_PDU_TAIL ) return { pdu_buf, offset + n };