forked from wolfSSL/wolfssl
Merge pull request #4254 from dgarske/zd12681
Sniffer fix for possible math issue around 64-bit pointer and 32-bit unsigned int
This commit is contained in:
John Safranek
GitHub
@ -66,7 +66,6 @@
|
|||||||
#if !defined(WOLFCRYPT_ONLY) && !defined(NO_FILESYSTEM)
|
#if !defined(WOLFCRYPT_ONLY) && !defined(NO_FILESYSTEM)
|
||||||
#ifdef WOLFSSL_SNIFFER
|
#ifdef WOLFSSL_SNIFFER
|
||||||
|
|
||||||
#include <assert.h>
|
|
||||||
#include <time.h>
|
#include <time.h>
|
||||||
|
|
||||||
#ifdef FUSION_RTOS
|
#ifdef FUSION_RTOS
|
||||||
@ -1433,8 +1432,6 @@ static SnifferSession* GetSnifferSession(IpInfo* ipInfo, TcpInfo* tcpInfo)
|
|||||||
time_t currTime = XTIME(NULL);
|
time_t currTime = XTIME(NULL);
|
||||||
word32 row = SessionHash(ipInfo, tcpInfo);
|
word32 row = SessionHash(ipInfo, tcpInfo);
|
||||||
|
|
||||||
assert(row <= HASH_SIZE);
|
|
||||||
|
|
||||||
wc_LockMutex(&SessionMutex);
|
wc_LockMutex(&SessionMutex);
|
||||||
|
|
||||||
session = SessionTable[row];
|
session = SessionTable[row];
|
||||||
@ -4121,13 +4118,15 @@ static void RemoveSession(SnifferSession* session, IpInfo* ipInfo,
|
|||||||
word32 row = rowHint;
|
word32 row = rowHint;
|
||||||
int haveLock = 0;
|
int haveLock = 0;
|
||||||
|
|
||||||
|
Trace(REMOVE_SESSION_STR);
|
||||||
|
|
||||||
if (ipInfo && tcpInfo)
|
if (ipInfo && tcpInfo)
|
||||||
row = SessionHash(ipInfo, tcpInfo);
|
row = SessionHash(ipInfo, tcpInfo);
|
||||||
else
|
else
|
||||||
haveLock = 1;
|
haveLock = 1;
|
||||||
|
|
||||||
assert(row <= HASH_SIZE);
|
if (row >= HASH_SIZE)
|
||||||
Trace(REMOVE_SESSION_STR);
|
return;
|
||||||
|
|
||||||
if (!haveLock)
|
if (!haveLock)
|
||||||
wc_LockMutex(&SessionMutex);
|
wc_LockMutex(&SessionMutex);
|
||||||
@ -4474,9 +4473,11 @@ static PacketBuffer* CreateBuffer(word32* begin, word32 end, const byte* data,
|
|||||||
int* bytesLeft)
|
int* bytesLeft)
|
||||||
{
|
{
|
||||||
PacketBuffer* pb;
|
PacketBuffer* pb;
|
||||||
|
int added = (int)(end - *begin + 1);
|
||||||
|
|
||||||
int added = end - *begin + 1;
|
if (added <= 0) {
|
||||||
assert(*begin <= end);
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
pb = (PacketBuffer*)XMALLOC(sizeof(PacketBuffer),
|
pb = (PacketBuffer*)XMALLOC(sizeof(PacketBuffer),
|
||||||
NULL, DYNAMIC_TYPE_SNIFFER_PB);
|
NULL, DYNAMIC_TYPE_SNIFFER_PB);
|
||||||
@ -4485,7 +4486,7 @@ static PacketBuffer* CreateBuffer(word32* begin, word32 end, const byte* data,
|
|||||||
pb->next = 0;
|
pb->next = 0;
|
||||||
pb->begin = *begin;
|
pb->begin = *begin;
|
||||||
pb->end = end;
|
pb->end = end;
|
||||||
pb->data = (byte*)XMALLOC(added, NULL, DYNAMIC_TYPE_SNIFFER_PB_BUFFER);
|
pb->data = (byte*)XMALLOC(added, NULL, DYNAMIC_TYPE_SNIFFER_PB_BUFFER);
|
||||||
|
|
||||||
if (pb->data == NULL) {
|
if (pb->data == NULL) {
|
||||||
XFREE(pb, NULL, DYNAMIC_TYPE_SNIFFER_PB);
|
XFREE(pb, NULL, DYNAMIC_TYPE_SNIFFER_PB);
|
||||||
@ -4514,7 +4515,7 @@ static int AddToReassembly(byte from, word32 seq, const byte* sslFrame,
|
|||||||
word32* reassemblyMemory = (from == WOLFSSL_SERVER_END) ?
|
word32* reassemblyMemory = (from == WOLFSSL_SERVER_END) ?
|
||||||
&session->cliReassemblyMemory : &session->srvReassemblyMemory;
|
&session->cliReassemblyMemory : &session->srvReassemblyMemory;
|
||||||
word32 startSeq = seq;
|
word32 startSeq = seq;
|
||||||
word32 added;
|
int added;
|
||||||
int bytesLeft = sslBytes; /* could be overlapping fragment */
|
int bytesLeft = sslBytes; /* could be overlapping fragment */
|
||||||
|
|
||||||
/* if list is empty add full frame to front */
|
/* if list is empty add full frame to front */
|
||||||
@ -4577,10 +4578,10 @@ static int AddToReassembly(byte from, word32 seq, const byte* sslFrame,
|
|||||||
added = bytesLeft;
|
added = bytesLeft;
|
||||||
else
|
else
|
||||||
/* we're in between two frames */
|
/* we're in between two frames */
|
||||||
added = min((word32)bytesLeft, curr->begin - seq);
|
added = min(bytesLeft, (int)(curr->begin - seq));
|
||||||
|
|
||||||
/* data already there */
|
/* data already there */
|
||||||
if (added == 0)
|
if (added <= 0)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if (MaxRecoveryMemory != -1 &&
|
if (MaxRecoveryMemory != -1 &&
|
||||||
@ -4667,8 +4668,8 @@ static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session,
|
|||||||
|
|
||||||
/* may be past reassembly list end (could have more on list)
|
/* may be past reassembly list end (could have more on list)
|
||||||
so try to add what's past the front->end */
|
so try to add what's past the front->end */
|
||||||
AddToReassembly(session->flags.side, reassemblyList->end +1,
|
AddToReassembly(session->flags.side, reassemblyList->end + 1,
|
||||||
*sslFrame + reassemblyList->end - *expected + 1,
|
*sslFrame + (reassemblyList->end - *expected + 1),
|
||||||
newEnd - reassemblyList->end, session, error);
|
newEnd - reassemblyList->end, session, error);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -4718,8 +4719,8 @@ static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session,
|
|||||||
|
|
||||||
/* may be past reassembly list end (could have more on list)
|
/* may be past reassembly list end (could have more on list)
|
||||||
so try to add what's past the front->end */
|
so try to add what's past the front->end */
|
||||||
AddToReassembly(session->flags.side, reassemblyList->end +1,
|
AddToReassembly(session->flags.side, reassemblyList->end + 1,
|
||||||
*sslFrame + reassemblyList->end - *expected + 1,
|
*sslFrame + (reassemblyList->end - *expected + 1),
|
||||||
newEnd - reassemblyList->end, session, error);
|
newEnd - reassemblyList->end, session, error);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -4745,9 +4746,9 @@ static int FindNextRecordInAssembly(SnifferSession* session,
|
|||||||
byte* skipPartial = (session->flags.side == WOLFSSL_SERVER_END) ?
|
byte* skipPartial = (session->flags.side == WOLFSSL_SERVER_END) ?
|
||||||
&session->flags.srvSkipPartial :
|
&session->flags.srvSkipPartial :
|
||||||
&session->flags.cliSkipPartial;
|
&session->flags.cliSkipPartial;
|
||||||
word32* reassemblyMemory = (session->flags.side == WOLFSSL_SERVER_END) ?
|
int* reassemblyMemory = (session->flags.side == WOLFSSL_SERVER_END) ?
|
||||||
&session->cliReassemblyMemory :
|
(int*)&session->cliReassemblyMemory :
|
||||||
&session->srvReassemblyMemory;
|
(int*)&session->srvReassemblyMemory;
|
||||||
WOLFSSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ?
|
WOLFSSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ?
|
||||||
session->sslServer :
|
session->sslServer :
|
||||||
session->sslClient;
|
session->sslClient;
|
||||||
@ -4766,8 +4767,8 @@ static int FindNextRecordInAssembly(SnifferSession* session,
|
|||||||
if (ssl->buffers.inputBuffer.length > 0)
|
if (ssl->buffers.inputBuffer.length > 0)
|
||||||
Trace(DROPPING_PARTIAL_RECORD);
|
Trace(DROPPING_PARTIAL_RECORD);
|
||||||
|
|
||||||
*sslBytes = curr->end - curr->begin + 1;
|
*sslBytes = (int)(curr->end - curr->begin + 1);
|
||||||
if ( (word32)*sslBytes > ssl->buffers.inputBuffer.bufferSize) {
|
if ( *sslBytes > (int)ssl->buffers.inputBuffer.bufferSize) {
|
||||||
if (GrowInputBuffer(ssl, *sslBytes, 0) < 0) {
|
if (GrowInputBuffer(ssl, *sslBytes, 0) < 0) {
|
||||||
SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
|
SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
|
||||||
return -1;
|
return -1;
|
||||||
@ -4788,18 +4789,18 @@ static int FindNextRecordInAssembly(SnifferSession* session,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
else if (ssl->specs.cipher_type == block) {
|
else if (ssl->specs.cipher_type == block) {
|
||||||
|
int ivPos = (int)(curr->end - curr->begin -
|
||||||
|
ssl->specs.block_size + 1);
|
||||||
if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes) {
|
if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes) {
|
||||||
#ifdef BUILD_AES
|
#ifdef BUILD_AES
|
||||||
wc_AesSetIV(ssl->decrypt.aes,
|
if (ivPos >= 0)
|
||||||
curr->data + curr->end - curr->begin
|
wc_AesSetIV(ssl->decrypt.aes, curr->data + ivPos);
|
||||||
- ssl->specs.block_size + 1);
|
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
else if (ssl->specs.bulk_cipher_algorithm == wolfssl_triple_des) {
|
else if (ssl->specs.bulk_cipher_algorithm == wolfssl_triple_des) {
|
||||||
#ifdef BUILD_DES3
|
#ifdef BUILD_DES3
|
||||||
wc_Des3_SetIV(ssl->decrypt.des3,
|
if (ivPos >= 0)
|
||||||
curr->data + curr->end - curr->begin
|
wc_Des3_SetIV(ssl->decrypt.des3, curr->data + ivPos);
|
||||||
- ssl->specs.block_size + 1);
|
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -4810,7 +4811,7 @@ static int FindNextRecordInAssembly(SnifferSession* session,
|
|||||||
#endif
|
#endif
|
||||||
prev = curr;
|
prev = curr;
|
||||||
curr = curr->next;
|
curr = curr->next;
|
||||||
*reassemblyMemory -= (prev->end - prev->begin + 1);
|
*reassemblyMemory -= (int)(prev->end - prev->begin + 1);
|
||||||
FreePacketBuffer(prev);
|
FreePacketBuffer(prev);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5086,8 +5087,8 @@ static int HaveMoreInput(SnifferSession* session, const byte** sslFrame,
|
|||||||
&session->cliReassemblyMemory : &session->srvReassemblyMemory;
|
&session->cliReassemblyMemory : &session->srvReassemblyMemory;
|
||||||
|
|
||||||
while (*front && ((*front)->begin == *expected) ) {
|
while (*front && ((*front)->begin == *expected) ) {
|
||||||
word32 room = *bufferSize - *length;
|
int room = (int)(*bufferSize - *length);
|
||||||
word32 packetLen = (*front)->end - (*front)->begin + 1;
|
int packetLen = (int)((*front)->end - (*front)->begin + 1);
|
||||||
|
|
||||||
if (packetLen > room && *bufferSize < MAX_INPUT_SZ) {
|
if (packetLen > room && *bufferSize < MAX_INPUT_SZ) {
|
||||||
if (GrowInputBuffer(ssl, packetLen, *length) < 0) {
|
if (GrowInputBuffer(ssl, packetLen, *length) < 0) {
|
||||||
|
|||||||
Reference in New Issue
Block a user