feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fix possible issues with math around 64-bit pointer and unsigned int (32-bit). ZD 12681

Browse Source
This commit is contained in:
David Garske
2021-07-27 11:26:52 -07:00
parent d49d8a9286
commit 3abb2b86d6
1 changed files with 26 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
src/sniffer.c
View File

@@ -4474,9 +4474,11 @@ static PacketBuffer* CreateBuffer(word32* begin, word32 end, const byte* data,
int* bytesLeft) int* bytesLeft)
{ {
PacketBuffer* pb; PacketBuffer* pb;
int added = (int)(end - *begin + 1);
int added = end - *begin + 1; if (added <= 0) {
assert(*begin <= end); return NULL;
}
pb = (PacketBuffer*)XMALLOC(sizeof(PacketBuffer), pb = (PacketBuffer*)XMALLOC(sizeof(PacketBuffer),
NULL, DYNAMIC_TYPE_SNIFFER_PB); NULL, DYNAMIC_TYPE_SNIFFER_PB);
@@ -4485,7 +4487,7 @@ static PacketBuffer* CreateBuffer(word32* begin, word32 end, const byte* data,
pb->next = 0; pb->next = 0;
pb->begin = *begin; pb->begin = *begin;
pb->end = end; pb->end = end;
pb->data = (byte*)XMALLOC(added, NULL, DYNAMIC_TYPE_SNIFFER_PB_BUFFER); pb->data = (byte*)XMALLOC(added, NULL, DYNAMIC_TYPE_SNIFFER_PB_BUFFER);
if (pb->data == NULL) { if (pb->data == NULL) {
XFREE(pb, NULL, DYNAMIC_TYPE_SNIFFER_PB); XFREE(pb, NULL, DYNAMIC_TYPE_SNIFFER_PB);
@@ -4514,7 +4516,7 @@ static int AddToReassembly(byte from, word32 seq, const byte* sslFrame,
word32* reassemblyMemory = (from == WOLFSSL_SERVER_END) ? word32* reassemblyMemory = (from == WOLFSSL_SERVER_END) ?
&session->cliReassemblyMemory : &session->srvReassemblyMemory; &session->cliReassemblyMemory : &session->srvReassemblyMemory;
word32 startSeq = seq; word32 startSeq = seq;
word32 added; int added;
int bytesLeft = sslBytes; /* could be overlapping fragment */ int bytesLeft = sslBytes; /* could be overlapping fragment */
/* if list is empty add full frame to front */ /* if list is empty add full frame to front */
@@ -4577,10 +4579,10 @@ static int AddToReassembly(byte from, word32 seq, const byte* sslFrame,
added = bytesLeft; added = bytesLeft;
else else
/* we're in between two frames */ /* we're in between two frames */
added = min((word32)bytesLeft, curr->begin - seq); added = min(bytesLeft, (int)(curr->begin - seq));
/* data already there */ /* data already there */
if (added == 0) if (added <= 0)
continue; continue;
if (MaxRecoveryMemory != -1 && if (MaxRecoveryMemory != -1 &&
@@ -4667,8 +4669,8 @@ static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session,
/* may be past reassembly list end (could have more on list) /* may be past reassembly list end (could have more on list)
so try to add what's past the front->end */ so try to add what's past the front->end */
AddToReassembly(session->flags.side, reassemblyList->end +1, AddToReassembly(session->flags.side, reassemblyList->end + 1,
*sslFrame + reassemblyList->end - *expected + 1, *sslFrame + (reassemblyList->end - *expected + 1),
newEnd - reassemblyList->end, session, error); newEnd - reassemblyList->end, session, error);
} }
} }
@@ -4718,8 +4720,8 @@ static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session,
/* may be past reassembly list end (could have more on list) /* may be past reassembly list end (could have more on list)
so try to add what's past the front->end */ so try to add what's past the front->end */
AddToReassembly(session->flags.side, reassemblyList->end +1, AddToReassembly(session->flags.side, reassemblyList->end + 1,
*sslFrame + reassemblyList->end - *expected + 1, *sslFrame + (reassemblyList->end - *expected + 1),
newEnd - reassemblyList->end, session, error); newEnd - reassemblyList->end, session, error);
} }
} }
@@ -4745,9 +4747,9 @@ static int FindNextRecordInAssembly(SnifferSession* session,
byte* skipPartial = (session->flags.side == WOLFSSL_SERVER_END) ? byte* skipPartial = (session->flags.side == WOLFSSL_SERVER_END) ?
&session->flags.srvSkipPartial : &session->flags.srvSkipPartial :
&session->flags.cliSkipPartial; &session->flags.cliSkipPartial;
word32* reassemblyMemory = (session->flags.side == WOLFSSL_SERVER_END) ? int* reassemblyMemory = (session->flags.side == WOLFSSL_SERVER_END) ?
&session->cliReassemblyMemory : (int*)&session->cliReassemblyMemory :
&session->srvReassemblyMemory; (int*)&session->srvReassemblyMemory;
WOLFSSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ? WOLFSSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ?
session->sslServer : session->sslServer :
session->sslClient; session->sslClient;
@@ -4766,8 +4768,8 @@ static int FindNextRecordInAssembly(SnifferSession* session,
if (ssl->buffers.inputBuffer.length > 0) if (ssl->buffers.inputBuffer.length > 0)
Trace(DROPPING_PARTIAL_RECORD); Trace(DROPPING_PARTIAL_RECORD);
*sslBytes = curr->end - curr->begin + 1; *sslBytes = (int)(curr->end - curr->begin + 1);
if ( (word32)*sslBytes > ssl->buffers.inputBuffer.bufferSize) { if ( *sslBytes > (int)ssl->buffers.inputBuffer.bufferSize) {
if (GrowInputBuffer(ssl, *sslBytes, 0) < 0) { if (GrowInputBuffer(ssl, *sslBytes, 0) < 0) {
SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE); SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
return -1; return -1;
@@ -4788,18 +4790,18 @@ static int FindNextRecordInAssembly(SnifferSession* session,
return 0; return 0;
} }
else if (ssl->specs.cipher_type == block) { else if (ssl->specs.cipher_type == block) {
int ivPos = (int)(curr->end - curr->begin -
ssl->specs.block_size + 1);
if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes) { if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes) {
#ifdef BUILD_AES #ifdef BUILD_AES
wc_AesSetIV(ssl->decrypt.aes, if (ivPos >= 0)
curr->data + curr->end - curr->begin wc_AesSetIV(ssl->decrypt.aes, curr->data + ivPos);
- ssl->specs.block_size + 1);
#endif #endif
} }
else if (ssl->specs.bulk_cipher_algorithm == wolfssl_triple_des) { else if (ssl->specs.bulk_cipher_algorithm == wolfssl_triple_des) {
#ifdef BUILD_DES3 #ifdef BUILD_DES3
wc_Des3_SetIV(ssl->decrypt.des3, if (ivPos >= 0)
curr->data + curr->end - curr->begin wc_Des3_SetIV(ssl->decrypt.des3, curr->data + ivPos);
- ssl->specs.block_size + 1);
#endif #endif
} }
} }
@@ -4810,7 +4812,7 @@ static int FindNextRecordInAssembly(SnifferSession* session,
#endif #endif
prev = curr; prev = curr;
curr = curr->next; curr = curr->next;
*reassemblyMemory -= (prev->end - prev->begin + 1); *reassemblyMemory -= (int)(prev->end - prev->begin + 1);
FreePacketBuffer(prev); FreePacketBuffer(prev);
} }
@@ -5086,8 +5088,8 @@ static int HaveMoreInput(SnifferSession* session, const byte** sslFrame,
&session->cliReassemblyMemory : &session->srvReassemblyMemory; &session->cliReassemblyMemory : &session->srvReassemblyMemory;
while (*front && ((*front)->begin == *expected) ) { while (*front && ((*front)->begin == *expected) ) {
word32 room = *bufferSize - *length; int room = (int)(*bufferSize - *length);
word32 packetLen = (*front)->end - (*front)->begin + 1; int packetLen = (int)((*front)->end - (*front)->begin + 1);
if (packetLen > room && *bufferSize < MAX_INPUT_SZ) { if (packetLen > room && *bufferSize < MAX_INPUT_SZ) {
if (GrowInputBuffer(ssl, packetLen, *length) < 0) { if (GrowInputBuffer(ssl, packetLen, *length) < 0) {