diff --git a/src/defrag.c b/src/defrag.c index 3a3aa06c8e..d42db1dfc4 100644 --- a/src/defrag.c +++ b/src/defrag.c @@ -297,8 +297,8 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) rp->recursion_level = p->recursion_level; int fragmentable_offset = 0; - int fragmentable_len = 0; - int hlen = 0; + uint16_t fragmentable_len = 0; + uint16_t hlen = 0; int ip_hdr_offset = 0; RB_FOREACH(frag, IP_FRAGMENTS, &tracker->fragment_tree) { @@ -326,8 +326,8 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) else { int pkt_end = fragmentable_offset + frag->offset + frag->data_len; if (pkt_end > (int)MAX_PAYLOAD_SIZE) { - SCLogWarning(SC_ERR_REASSEMBLY, "Failed re-assemble " - "fragmented packet, exceeds size of packet buffer."); + SCLogDebug("Failed re-assemble " + "fragmented packet, exceeds size of packet buffer."); goto error_remove_tracker; } if (PacketCopyDataOffset(rp, @@ -336,6 +336,11 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) frag->data_len - frag->ltrim) == -1) { goto error_remove_tracker; } + if (frag->offset > UINT16_MAX - frag->data_len) { + SCLogDebug("Failed re-assemble " + "fragmentable_len exceeds UINT16_MAX"); + goto error_remove_tracker; + } if (frag->offset + frag->data_len > fragmentable_len) fragmentable_len = frag->offset + frag->data_len; } @@ -345,11 +350,12 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) } } - SCLogDebug("ip_hdr_offset %u, hlen %u, fragmentable_len %u", - ip_hdr_offset, hlen, fragmentable_len); + SCLogDebug("ip_hdr_offset %u, hlen %" PRIu16 ", fragmentable_len %" PRIu16, ip_hdr_offset, hlen, + fragmentable_len); rp->ip4h = (IPV4Hdr *)(GET_PKT_DATA(rp) + ip_hdr_offset); uint16_t old = rp->ip4h->ip_len + rp->ip4h->ip_off; + DEBUG_VALIDATE_BUG_ON(hlen > UINT16_MAX - fragmentable_len); rp->ip4h->ip_len = htons(fragmentable_len + hlen); rp->ip4h->ip_off = 0; rp->ip4h->ip_csum = FixChecksum(rp->ip4h->ip_csum, @@ -431,9 +437,9 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) } PKT_SET_SRC(rp, PKT_SRC_DEFRAG); - int unfragmentable_len = 0; + uint16_t unfragmentable_len = 0; int fragmentable_offset = 0; - int fragmentable_len = 0; + uint16_t fragmentable_len = 0; int ip_hdr_offset = 0; uint8_t next_hdr = 0; RB_FOREACH(frag, IP_FRAGMENTS, &tracker->fragment_tree) { @@ -465,7 +471,10 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) /* unfragmentable part is the part between the ipv6 header * and the frag header. */ - unfragmentable_len = (fragmentable_offset - ip_hdr_offset) - IPV6_HEADER_LEN; + DEBUG_VALIDATE_BUG_ON(fragmentable_offset < ip_hdr_offset + IPV6_HEADER_LEN); + DEBUG_VALIDATE_BUG_ON( + fragmentable_offset - ip_hdr_offset - IPV6_HEADER_LEN > UINT16_MAX); + unfragmentable_len = (uint16_t)(fragmentable_offset - ip_hdr_offset - IPV6_HEADER_LEN); if (unfragmentable_len >= fragmentable_offset) goto error_remove_tracker; } @@ -484,6 +493,7 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) } rp->ip6h = (IPV6Hdr *)(GET_PKT_DATA(rp) + ip_hdr_offset); + DEBUG_VALIDATE_BUG_ON(unfragmentable_len > UINT16_MAX - fragmentable_len); rp->ip6h->s_ip6_plen = htons(fragmentable_len + unfragmentable_len); /* if we have no unfragmentable part, so no ext hdrs before the frag * header, we need to update the ipv6 headers next header field. This diff --git a/src/output-tx.c b/src/output-tx.c index e51afc6d35..4bc60f90e4 100644 --- a/src/output-tx.c +++ b/src/output-tx.c @@ -141,8 +141,8 @@ static inline void OutputTxLogFiles(ThreadVars *tv, OutputFileLoggerThreadData * const uint64_t tx_id, AppLayerTxData *txd, const bool tx_complete, const bool ts_ready, const bool tc_ready, const bool ts_eof, const bool tc_eof, const bool eof) { - int packet_dir; - int opposing_dir; + uint8_t packet_dir; + uint8_t opposing_dir; bool packet_dir_ready; const bool opposing_dir_ready = eof; bool opposing_tx_ready; diff --git a/src/source-af-packet.c b/src/source-af-packet.c index c94b4a6b83..b0445eef23 100644 --- a/src/source-af-packet.c +++ b/src/source-af-packet.c @@ -948,7 +948,7 @@ static inline int AFPParsePacketV3(AFPThreadVars *ptv, struct tpacket_block_desc (ppd->tp_status & TP_STATUS_VLAN_VALID || ppd->hv1.tp_vlan_tci)) { p->vlan_id[0] = ppd->hv1.tp_vlan_tci & 0x0fff; p->vlan_idx = 1; - p->afp_v.vlan_tci = ppd->hv1.tp_vlan_tci; + p->afp_v.vlan_tci = (uint16_t)ppd->hv1.tp_vlan_tci; } (void)PacketSetData(p, (unsigned char *)ppd + ppd->tp_mac, ppd->tp_snaplen); @@ -1116,7 +1116,7 @@ static void AFPCloseSocket(AFPThreadVars *ptv) } } -static void AFPSwitchState(AFPThreadVars *ptv, int state) +static void AFPSwitchState(AFPThreadVars *ptv, uint8_t state) { ptv->afp_state = state; ptv->down_count = 0; @@ -2073,7 +2073,10 @@ TmEcode AFPSetBPFFilter(AFPThreadVars *ptv) return TM_ECODE_FAILED; } - fcode.len = filter.bf_len; + if (filter.bf_len > USHRT_MAX) { + return TM_ECODE_FAILED; + } + fcode.len = (unsigned short)filter.bf_len; fcode.filter = (struct sock_filter*)filter.bf_insns; rc = setsockopt(ptv->socket, SOL_SOCKET, SO_ATTACH_FILTER, &fcode, sizeof(fcode)); diff --git a/src/source-af-packet.h b/src/source-af-packet.h index de25ff2442..d91d0cb252 100644 --- a/src/source-af-packet.h +++ b/src/source-af-packet.h @@ -97,7 +97,7 @@ typedef struct AFPIfaceConfig_ int promisc; /* misc use flags including ring mode */ unsigned int flags; - int copy_mode; + uint8_t copy_mode; ChecksumValidationMode checksum_mode; const char *bpf_filter; const char *ebpf_lb_file;