From: Victor Julien <vjulien@oisf.net>
Date: Tue, 6 Sep 2022 12:03:46 +0000 (+0200)
Subject: tls: make version and size checks stricter
X-Git-Tag: suricata-6.0.10~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=43a3a7ee3928498dfb591af9b11f09ab7a3c822b;p=thirdparty%2Fsuricata.git

tls: make version and size checks stricter

This way bad records won't buffer lots of stream data.

(cherry picked from commit 599791fa33cf5a3be51d7cdd857350f53bb68fc2)
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 9a57c440ab..e33119c5fb 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -164,7 +164,8 @@ SslConfig ssl_config;
 
 #define SSLV3_RECORD_HDR_LEN            5
 #define SSLV3_MESSAGE_HDR_LEN           4
-#define SSLV3_RECORD_MAX_LEN            1 << 14
+/** max length according to RFC 5246 6.2.2 is 2^14 + 1024 */
+#define SSLV3_RECORD_MAX_LEN ((1 << 14) + 1024)
 
 #define SSLV3_CLIENT_HELLO_VERSION_LEN  2
 #define SSLV3_CLIENT_HELLO_RANDOM_LEN  32
@@ -2199,6 +2200,7 @@ static struct SSLDecoderResult SSLv3Decode(uint8_t direction, SSLState *ssl_stat
         if (ssl_state->curr_connp->bytes_processed == SSLV3_RECORD_HDR_LEN &&
                 ssl_state->curr_connp->record_length > SSLV3_RECORD_MAX_LEN) {
             SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_RECORD_LENGTH);
+            return SSL_DECODER_ERROR(-1);
         }
     } else {
         ValidateRecordState(ssl_state->curr_connp);
diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h
index 625831b555..e590eaa023 100644
--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@@ -170,6 +170,39 @@ enum {
     TLS_VERSION_13_DRAFT26_FB = 0xfb1a,
 };
 
+static inline bool TLSVersionValid(const uint16_t version)
+{
+    switch (version) {
+        case TLS_VERSION_13:
+        case TLS_VERSION_12:
+        case TLS_VERSION_11:
+        case TLS_VERSION_10:
+        case SSL_VERSION_3:
+
+        case TLS_VERSION_13_DRAFT28:
+        case TLS_VERSION_13_DRAFT27:
+        case TLS_VERSION_13_DRAFT26:
+        case TLS_VERSION_13_DRAFT25:
+        case TLS_VERSION_13_DRAFT24:
+        case TLS_VERSION_13_DRAFT23:
+        case TLS_VERSION_13_DRAFT22:
+        case TLS_VERSION_13_DRAFT21:
+        case TLS_VERSION_13_DRAFT20:
+        case TLS_VERSION_13_DRAFT19:
+        case TLS_VERSION_13_DRAFT18:
+        case TLS_VERSION_13_DRAFT17:
+        case TLS_VERSION_13_DRAFT16:
+        case TLS_VERSION_13_PRE_DRAFT16:
+        case TLS_VERSION_13_DRAFT20_FB:
+        case TLS_VERSION_13_DRAFT21_FB:
+        case TLS_VERSION_13_DRAFT22_FB:
+        case TLS_VERSION_13_DRAFT23_FB:
+        case TLS_VERSION_13_DRAFT26_FB:
+            return true;
+    }
+    return false;
+}
+
 typedef struct SSLCertsChain_ {
     uint8_t *cert_data;
     uint32_t cert_len;