From: Shravan Rangarajuvenkata (shrarang) Date: Mon, 29 Jun 2020 15:18:50 +0000 (+0000) Subject: Merge pull request #2292 in SNORT/snort3 from ~AGIURGIU/snort3:dce_segfault to master X-Git-Tag: 3.0.2-1~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ec8439027014c068403bafad7973f49623d6047;p=thirdparty%2Fsnort3.git Merge pull request #2292 in SNORT/snort3 from ~AGIURGIU/snort3:dce_segfault to master Squashed commit of the following: commit 6e188b18c9f4f5fc53a768437737321478b9277a Author: agiurgiu Date: Fri Jun 26 17:50:07 2020 +0300 dce_tcp: parse only endpoint mapper messages --- diff --git a/src/service_inspectors/dce_rpc/dce_co.cc b/src/service_inspectors/dce_rpc/dce_co.cc index ac88475f3..e3980ffce 100644 --- a/src/service_inspectors/dce_rpc/dce_co.cc +++ b/src/service_inspectors/dce_rpc/dce_co.cc @@ -41,6 +41,10 @@ static THREAD_LOCAL int co_reassembled = 0; static const Uuid uuid_ndr64 = { 0x71710533, 0xbeba, 0x4937, 0x83, 0x19, { 0xb5, 0xdb, 0xef, 0x9c, 0xcc, 0x36 } }; +/* Endpoint mapper UUID */ +static const Uuid uuid_epm = { 0xe1af8308, 0x5d1f, 0x11c9, 0x91, 0xa4, + { 0x08, 0x00, 0x2b, 0x14, 0xa0, 0xfa } }; + /******************************************************************** * Function: DCE2_CoEptMapResponse() * @@ -50,10 +54,9 @@ static const Uuid uuid_ndr64 = { 0x71710533, 0xbeba, 0x4937, 0x83, 0x19, * which contain info about future sessions. * ********************************************************************/ -static void DCE2_CoEptMapResponse(const DCE2_CoTracker* cot, const DceRpcCoHdr* co_hdr, +static void DCE2_CoEptMapResponse(const DceRpcCoHdr* co_hdr, const DCE2_CoCtxIdNode* ctx_id_node, const uint8_t* stub_data, uint16_t dlen) { - DCE2_CoCtxIdNode* ctx_id_node; uint64_t actual_count; uint64_t tptr_length; /* Tower pointer length */ unsigned int i; @@ -70,9 +73,6 @@ static void DCE2_CoEptMapResponse(const DCE2_CoTracker* cot, const DceRpcCoHdr* if (stub_data == nullptr || dlen == 0) return; - ctx_id_node = (DCE2_CoCtxIdNode*)DCE2_ListFind(cot->ctx_ids, - (void*)(uintptr_t)cot->ctx_id); - if (ctx_id_node == nullptr) return; @@ -92,11 +92,19 @@ static void DCE2_CoEptMapResponse(const DCE2_CoTracker* cot, const DceRpcCoHdr* /* Get the actual count of pointers in tower array */ byte_order = DceRpcCoByteOrder(co_hdr); + + if (offset + ndr_flen > dlen) + return; + offset += DCE2_GetNdrUint3264(stub_data + offset, actual_count, offset, byte_order, ctx_id_node->transport); /* Skipping Referent IDs and moving to deferred pointers representation */ offset += actual_count * ndr_flen; + + if (offset > dlen) + return; + dce2_move(stub_data, dlen, offset); for (i = 0; i < actual_count; i++) @@ -115,6 +123,9 @@ static void DCE2_CoEptMapResponse(const DCE2_CoTracker* cot, const DceRpcCoHdr* * +-------------+---------+---------+---------+---------+ * The target is 4th & 5th floors */ + if (ndr_flen > dlen) + return; + /* Get tower length and determine the floor count offset */ fc_offset = DCE2_GetNdrUint3264(stub_data, tptr_length, offset, byte_order, ctx_id_node->transport) + DCE2_CO_MAP_TWR_LEN_OFS; @@ -1862,7 +1873,14 @@ static void DCE2_CoResponse(DCE2_SsnData* sd, DCE2_CoTracker* cot, if (cot->opnum == DCE2_CO_EPT_MAP) { - DCE2_CoEptMapResponse(cot, co_hdr, stub_data, stub_data_len); + DCE2_CoCtxIdNode* ctx_node; + ctx_node = (DCE2_CoCtxIdNode*)DCE2_ListFind(cot->ctx_ids, + (void*)(uintptr_t)cot->ctx_id); + + if (ctx_node and !DCE2_UuidCompare(&ctx_node->iface, &uuid_epm)) + { + DCE2_CoEptMapResponse(co_hdr, ctx_node, stub_data, stub_data_len); + } } } }