From: Jason Ish Date: Mon, 6 Apr 2020 16:50:36 +0000 (-0600) Subject: source/erf: validate record length before read X-Git-Tag: suricata-6.0.0-beta1~548 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4639dd79324f7395054ea290077d315412796d6c;p=thirdparty%2Fsuricata.git source/erf: validate record length before read Check the ERF record length before attempting to read it as a record length less than the size of the record header is invalid. Redmine ticket: https://redmine.openinfosecfoundation.org/issues/3593 --- diff --git a/src/source-erf-file.c b/src/source-erf-file.c index 1de5bb5f7f..853a45a152 100644 --- a/src/source-erf-file.c +++ b/src/source-erf-file.c @@ -165,8 +165,13 @@ static inline TmEcode ReadErfRecord(ThreadVars *tv, Packet *p, void *data) } SCReturnInt(TM_ECODE_FAILED); } - int rlen = SCNtohs(dr.rlen); - int wlen = SCNtohs(dr.wlen); + uint16_t rlen = SCNtohs(dr.rlen); + uint16_t wlen = SCNtohs(dr.wlen); + if (rlen < sizeof(DagRecord)) { + SCLogError(SC_ERR_ERF_BAD_RLEN, "Bad ERF record, " + "record length less than size of header"); + SCReturnInt(TM_ECODE_FAILED); + } r = fread(GET_PKT_DATA(p), rlen - sizeof(DagRecord), 1, etv->erf); if (r < 1) { if (feof(etv->erf)) { diff --git a/src/util-error.c b/src/util-error.c index 81f64cfef4..e9a398da26 100644 --- a/src/util-error.c +++ b/src/util-error.c @@ -368,6 +368,7 @@ const char * SCErrorToString(SCError err) CASE_CODE (SC_WARN_ANOMALY_CONFIG); CASE_CODE (SC_WARN_ALERT_CONFIG); CASE_CODE (SC_WARN_REGISTRATION_FAILED); + CASE_CODE (SC_ERR_ERF_BAD_RLEN); CASE_CODE (SC_ERR_MAX); } diff --git a/src/util-error.h b/src/util-error.h index 67bb9daa9f..28683bafa4 100644 --- a/src/util-error.h +++ b/src/util-error.h @@ -358,6 +358,7 @@ typedef enum { SC_ERR_PCRE_COPY_SUBSTRING, SC_WARN_PCRE_JITSTACK, SC_WARN_REGISTRATION_FAILED, + SC_ERR_ERF_BAD_RLEN, SC_ERR_MAX } SCError;