source/erf: validate record length before read

Check the ERF record length before attempting to read it as a record length less than the size of the record header is invalid. Redmine ticket: https://redmine.openinfosecfoundation.org/issues/3593
6 years ago · 4639dd7932
parent 960c52d7ff
commit 4639dd7932
3 changed files with 9 additions and 2 deletions
--- a/src/source-erf-file.c
+++ b/src/source-erf-file.c
@ -165,8 +165,13 @@ static inline TmEcode ReadErfRecord(ThreadVars *tv, Packet *p, void *data)
        }
        SCReturnInt(TM_ECODE_FAILED);
    }
-    int rlen = SCNtohs(dr.rlen);
-    int wlen = SCNtohs(dr.wlen);
+    uint16_t rlen = SCNtohs(dr.rlen);
+    uint16_t wlen = SCNtohs(dr.wlen);
+    if (rlen < sizeof(DagRecord)) {
+        SCLogError(SC_ERR_ERF_BAD_RLEN, "Bad ERF record, "
+            "record length less than size of header");
+        SCReturnInt(TM_ECODE_FAILED);
+    }
    r = fread(GET_PKT_DATA(p), rlen - sizeof(DagRecord), 1, etv->erf);
    if (r < 1) {
        if (feof(etv->erf)) {
--- a/src/util-error.c
+++ b/src/util-error.c
@ -368,6 +368,7 @@ const char * SCErrorToString(SCError err)
        CASE_CODE (SC_WARN_ANOMALY_CONFIG);
        CASE_CODE (SC_WARN_ALERT_CONFIG);
        CASE_CODE (SC_WARN_REGISTRATION_FAILED);
+        CASE_CODE (SC_ERR_ERF_BAD_RLEN);

        CASE_CODE (SC_ERR_MAX);
    }
--- a/src/util-error.h
+++ b/src/util-error.h
@ -358,6 +358,7 @@ typedef enum {
    SC_ERR_PCRE_COPY_SUBSTRING,
    SC_WARN_PCRE_JITSTACK,
    SC_WARN_REGISTRATION_FAILED,
+    SC_ERR_ERF_BAD_RLEN,

    SC_ERR_MAX
 } SCError;