From 725243b132a1887084492edcc8a2a038b6fb5c1c Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 29 Aug 2019 17:36:34 -0700 Subject: [PATCH] Changed how the sniffer calculates the sslFrame size, sslBytes, and the end of packet pointer. The end of packet pointer is based on sslFrame and sslBytes. sslBytes is calculated from the total length in the IP header, rather than the caplen. The caplen may include things like Ethernet's FCS, which throws packet processing off. --- src/sniffer.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/sniffer.c b/src/sniffer.c index 2a72d30cb..20a342036 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -3052,7 +3052,9 @@ static int CheckHeaders(IpInfo* ipInfo, TcpInfo* tcpInfo, const byte* packet, SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); return -1; } - *sslBytes = (int)(packet + length - *sslFrame); + /* We only care about the data in the TCP/IP record. There may be extra + * data after the IP record for the FCS for Ethernet. */ + *sslBytes = (int)(packet + ipInfo->total - *sslFrame); return 0; } @@ -4069,7 +4071,7 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, TcpInfo tcpInfo; IpInfo ipInfo; const byte* sslFrame; - const byte* end = packet + length; + const byte* end; int sslBytes; /* ssl bytes unconsumed */ int ret; SnifferSession* session = 0; @@ -4090,6 +4092,8 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, error) != 0) return -1; + end = sslFrame + sslBytes; + ret = CheckSession(&ipInfo, &tcpInfo, sslBytes, &session, error); if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1; else if (ret == -1) return -1;