From ed11e32076cc72fee15ea8975de29b82c333cd1c Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 15 Dec 2021 21:11:05 +0100 Subject: [PATCH] enip: fix too restrictive check in probing parser As is shown later in the code, enip_len can be ENIP_LEN_REGISTER_SESSION which is 4, which is smaller than sizeof(ENIPEncapHdr) which is 24 --- src/app-layer-enip.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c index cc814bc808..25322ab1a9 100644 --- a/src/app-layer-enip.c +++ b/src/app-layer-enip.c @@ -359,15 +359,7 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction, uint32_t option; uint16_t nbitems; - int ret = ByteExtractUint16( - &enip_len, BYTE_LITTLE_ENDIAN, sizeof(uint16_t), (const uint8_t *)(input + 2)); - if (ret < 0) { - return ALPROTO_FAILED; - } - if (enip_len < sizeof(ENIPEncapHdr)) { - return ALPROTO_FAILED; - } - ret = ByteExtractUint32( + int ret = ByteExtractUint32( &status, BYTE_LITTLE_ENDIAN, sizeof(uint32_t), (const uint8_t *)(input + 8)); if (ret < 0) { return ALPROTO_FAILED; @@ -394,6 +386,11 @@ static uint16_t ENIPProbingParser(Flow *f, uint8_t direction, if (ret < 0) { return ALPROTO_FAILED; } + ret = ByteExtractUint16( + &enip_len, BYTE_LITTLE_ENDIAN, sizeof(uint16_t), (const uint8_t *)(input + 2)); + if (ret < 0) { + return ALPROTO_FAILED; + } //ok for all the known commands switch(cmd) { -- 2.47.2