aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tls: set event if input buffer overflows

Browse Source 
Set HANDSHAKE_INVALID_LENGTH event if input buffer overflows while
decoding client_hello/server_hello.
pull/2284/head
Mats Klepsland 9 years ago committed by Victor Julien
parent 1f7b813080
commit c36595eb35
2 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File

25
src/app-layer-ssl.c
Unescape Escape View File

@ -63,6 +63,7 @@ SCEnumCharMap tls_decoder_event_table[ ] = {
{ "INVALID_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_INVALID_HEARTBEAT }, { "INVALID_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_INVALID_HEARTBEAT },
{ "OVERFLOW_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT }, { "OVERFLOW_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT },
{ "DATALEAK_HEARTBEAT_MISMATCH", TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH }, { "DATALEAK_HEARTBEAT_MISMATCH", TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH },
{ "HANDSHAKE_INVALID_LENGTH", TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH },
{ "MULTIPLE_SNI_EXTENSIONS", TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS }, { "MULTIPLE_SNI_EXTENSIONS", TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS },
{ "INVALID_SNI_TYPE", TLS_DECODER_EVENT_INVALID_SNI_TYPE }, { "INVALID_SNI_TYPE", TLS_DECODER_EVENT_INVALID_SNI_TYPE },
{ "INVALID_SNI_LENGTH", TLS_DECODER_EVENT_INVALID_SNI_LENGTH }, { "INVALID_SNI_LENGTH", TLS_DECODER_EVENT_INVALID_SNI_LENGTH },
@ -247,7 +248,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
input += SSLV3_CLIENT_HELLO_RANDOM_LEN; input += SSLV3_CLIENT_HELLO_RANDOM_LEN;
if (!(HAS_SPACE(1))) if (!(HAS_SPACE(1)))
goto end; goto invalid_length;
/* skip session id */ /* skip session id */
uint8_t session_id_length = *(input++); uint8_t session_id_length = *(input++);
@ -255,7 +256,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
input += session_id_length; input += session_id_length;
if (!(HAS_SPACE(2))) if (!(HAS_SPACE(2)))
goto end; goto invalid_length;
/* skip cipher suites */ /* skip cipher suites */
uint16_t cipher_suites_length = input[0] << 8 | input[1]; uint16_t cipher_suites_length = input[0] << 8 | input[1];
@ -264,7 +265,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
input += cipher_suites_length; input += cipher_suites_length;
if (!(HAS_SPACE(1))) if (!(HAS_SPACE(1)))
goto end; goto invalid_length;
/* skip compression methods */ /* skip compression methods */
uint8_t compression_methods_length = *(input++); uint8_t compression_methods_length = *(input++);
@ -272,7 +273,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
input += compression_methods_length; input += compression_methods_length;
if (!(HAS_SPACE(2))) if (!(HAS_SPACE(2)))
goto end; goto invalid_length;
uint16_t extensions_len = input[0] << 8 | input[1]; uint16_t extensions_len = input[0] << 8 | input[1];
input += 2; input += 2;
@ -281,13 +282,13 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
while (processed_len < extensions_len) while (processed_len < extensions_len)
{ {
if (!(HAS_SPACE(2))) if (!(HAS_SPACE(2)))
goto end; goto invalid_length;
uint16_t ext_type = input[0] << 8 | input[1]; uint16_t ext_type = input[0] << 8 | input[1];
input += 2; input += 2;
if (!(HAS_SPACE(2))) if (!(HAS_SPACE(2)))
goto end; goto invalid_length;
uint16_t ext_len = input[0] << 8 | input[1]; uint16_t ext_len = input[0] << 8 | input[1];
input += 2; input += 2;
@ -308,7 +309,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
input += 2; input += 2;
if (!(HAS_SPACE(1))) if (!(HAS_SPACE(1)))
goto end; goto invalid_length;
uint8_t sni_type = *(input++); uint8_t sni_type = *(input++);
@ -322,13 +323,13 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
} }
if (!(HAS_SPACE(2))) if (!(HAS_SPACE(2)))
goto end; goto invalid_length;
uint16_t sni_len = input[0] << 8 | input[1]; uint16_t sni_len = input[0] << 8 | input[1];
input += 2; input += 2;
if (!(HAS_SPACE(sni_len))) if (!(HAS_SPACE(sni_len)))
goto end; goto invalid_length;
/* host_name contains the fully qualified domain name, /* host_name contains the fully qualified domain name,
and should therefore be limited by the maximum domain and should therefore be limited by the maximum domain
@ -363,6 +364,12 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, uint8_t *input,
end: end:
return 0; return 0;
invalid_length:
SCLogDebug("TLS handshake invalid length");
SSLSetEvent(ssl_state,
TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH);
return 0;
} }
static int SSLv3ParseHandshakeType(SSLState *ssl_state, uint8_t *input, static int SSLv3ParseHandshakeType(SSLState *ssl_state, uint8_t *input,

1
src/app-layer-ssl.h
Unescape Escape View File

@ -42,6 +42,7 @@ enum {
TLS_DECODER_EVENT_INVALID_HEARTBEAT, TLS_DECODER_EVENT_INVALID_HEARTBEAT,
TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT, TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT,
TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH, TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH,
TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH,
TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS, TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS,
TLS_DECODER_EVENT_INVALID_SNI_TYPE, TLS_DECODER_EVENT_INVALID_SNI_TYPE,
TLS_DECODER_EVENT_INVALID_SNI_LENGTH, TLS_DECODER_EVENT_INVALID_SNI_LENGTH,

Write Preview
Loading…
Cancel
Save