diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index bdf0fbe2a3..f9e1a1770b 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -63,6 +63,7 @@ SCEnumCharMap tls_decoder_event_table[ ] = { { "INVALID_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_INVALID_HEARTBEAT }, { "OVERFLOW_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT }, { "DATALEAK_HEARTBEAT_MISMATCH", TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH }, + { "HANDSHAKE_INVALID_LENGTH", TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH }, { "MULTIPLE_SNI_EXTENSIONS", TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS }, { "INVALID_SNI_TYPE", TLS_DECODER_EVENT_INVALID_SNI_TYPE }, { "INVALID_SNI_LENGTH", TLS_DECODER_EVENT_INVALID_SNI_LENGTH }, @@ -247,7 +248,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input, input += SSLV3_CLIENT_HELLO_RANDOM_LEN; if (!(HAS_SPACE(1))) - goto end; + goto invalid_length; /* skip session id */ uint8_t session_id_length = *(input++); @@ -255,7 +256,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input, input += session_id_length; if (!(HAS_SPACE(2))) - goto end; + goto invalid_length; /* skip cipher suites */ uint16_t cipher_suites_length = input[0] << 8 | input[1]; @@ -264,7 +265,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input, input += cipher_suites_length; if (!(HAS_SPACE(1))) - goto end; + goto invalid_length; /* skip compression methods */ uint8_t compression_methods_length = *(input++); @@ -272,7 +273,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input, input += compression_methods_length; if (!(HAS_SPACE(2))) - goto end; + goto invalid_length; uint16_t extensions_len = input[0] << 8 | input[1]; input += 2; @@ -281,13 +282,13 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input, while (processed_len < extensions_len) { if (!(HAS_SPACE(2))) - goto end; + goto invalid_length; uint16_t ext_type = input[0] << 8 | input[1]; input += 2; if (!(HAS_SPACE(2))) - goto end; + goto invalid_length; uint16_t ext_len = input[0] << 8 | input[1]; input += 2; @@ -308,7 +309,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input, input += 2; if (!(HAS_SPACE(1))) - goto end; + goto invalid_length; uint8_t sni_type = *(input++); @@ -322,13 +323,13 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input, } if (!(HAS_SPACE(2))) - goto end; + goto invalid_length; uint16_t sni_len = input[0] << 8 | input[1]; input += 2; if (!(HAS_SPACE(sni_len))) - goto end; + goto invalid_length; /* host_name contains the fully qualified domain name, and should therefore be limited by the maximum domain @@ -363,6 +364,12 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input, end: return 0; + +invalid_length: + SCLogDebug("TLS handshake invalid length"); + SSLSetEvent(ssl_state, + TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH); + return 0; } static int SSLv3ParseHandshakeType(SSLState *ssl_state, uint8_t *input, diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h index 30fa476c4a..3253ce46d5 100644 --- a/src/app-layer-ssl.h +++ b/src/app-layer-ssl.h @@ -42,6 +42,7 @@ enum { TLS_DECODER_EVENT_INVALID_HEARTBEAT, TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT, TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH, + TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH, TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS, TLS_DECODER_EVENT_INVALID_SNI_TYPE, TLS_DECODER_EVENT_INVALID_SNI_LENGTH,