Fix header_len in GRE decoder getting out of control in some cases.

15 years ago · 3aeb86d836
parent 1c9e48ae98
commit 3aeb86d836
3 changed files with 10 additions and 4 deletions
--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -108,6 +108,7 @@ enum {
    GRE_VERSION0_RECUR,             /**< gre v0 recursion control */
    GRE_VERSION0_FLAGS,             /**< gre v0 flags */
    GRE_VERSION0_HDR_TOO_BIG,       /**< gre v0 header bigger than maximum size */
+    GRE_VERSION0_MALFORMED_SRE_HDR, /**< gre v0 malformed source route entry header */
    GRE_VERSION1_CHKSUM,            /**< gre v1 checksum */
    GRE_VERSION1_ROUTE,             /**< gre v1 routing */
    GRE_VERSION1_SSR,               /**< gre v1 strict source route */
--- a/src/decode-gre.c
+++ b/src/decode-gre.c
@ -96,16 +96,15 @@ void DecodeGRE(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u

            if (GRE_FLAG_ISSET_ROUTE(p->greh))
            {
-
                gsre = (GRESreHdr *)(pkt + header_len);
                if (gsre == NULL)
                    return;

                while (1)
                {
-                    if ((header_len+GRE_SRE_HDR_LEN) > len) {
-                        DECODER_SET_EVENT(p,GRE_VERSION1_MALFORMED_SRE_HDR);
-                        break;
+                    if ((header_len + GRE_SRE_HDR_LEN) > len) {
+                        DECODER_SET_EVENT(p, GRE_VERSION0_MALFORMED_SRE_HDR);
+                        return;
                    }

                    header_len += GRE_SRE_HDR_LEN;
@ -114,6 +113,11 @@ void DecodeGRE(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u
                        break;

                    header_len += gsre->sre_length;
+                    if (header_len > len) {
+                        DECODER_SET_EVENT(p, GRE_VERSION0_MALFORMED_SRE_HDR);
+                        return;
+                    }
+
                    gsre = (GRESreHdr *)(pkt + header_len);
                    if (gsre == NULL)
                        return;
--- a/src/detect-decode-event.h
+++ b/src/detect-decode-event.h
@ -97,6 +97,7 @@ struct DetectDecodeEvents_ {
    { "gre.version0_recur", GRE_VERSION0_RECUR, },
    { "gre.version0_flags", GRE_VERSION0_FLAGS, },
    { "gre.version0_hdr_too_big", GRE_VERSION0_HDR_TOO_BIG, },
+    { "gre.version0_malformed_sre_hdr", GRE_VERSION0_MALFORMED_SRE_HDR, },
    { "gre.version1_chksum", GRE_VERSION1_CHKSUM, },
    { "gre.version1_route", GRE_VERSION1_ROUTE, },
    { "gre.version1_ssr", GRE_VERSION1_SSR, },