[Bro-Dev] #348: Reassembler integer overflow issues. Data not delivered after 2GB

Bro Tracker bro at tracker.icir.org
Wed Jan 12 09:29:33 PST 2011

#348: Reassembler integer overflow issues. Data not delivered after 2GB
 Reporter:  gregor    |      Owner:
     Type:  Problem   |     Status:  new
 Priority:  Normal    |  Milestone:  Bro1.6
Component:  Bro       |    Version:  git/master
 Keywords:  inttypes  |

 The TCP Reassembler does not deliver any data to analyzers after the first
 2GB due to signed integer overflow (Actually it will deliver again between
 4--6GB, etc.) This happens silently, i.e., without content_gap events or
 Undelivered calls.

 This report superseded #315, #137

 The TCP Reassembler (and Reassem) base class use ``int`` to keep track of
 sequence numbers and ``seq_delta`` to check for differences. If a
 connection exceeds 2GB, the relative sequence numbers (int) used by the
 Reassembler become negative. While many parts of the Reassembler still
 work (because seq_delta still reports the correct difference) some parts
 do not. In particular ``seq_to_skip`` is broken (and fails silently).
 There might well be other parts of the Reassembler that fail
 silently as well, that I haven't found yet.

 See Comments in TCP_Reassembler.cc for more details.

 The Reassembler should use int64. However this will require deep changes
 to the Reassembler and the TCP Analyzer and TCP_Endpoint classes (since we
 also store sequence numbers there). Also, the analyzer framework will need
 tweaks as well (e.g., Undelivered uses ``int`` for sequence numbers, also
 has to go to 64 bit)

 As a hotfix that seems to work I disabled the ``seq_to_skip`` features. It
 wasn't used by any analyzer or policy script (Note, that seq_to_skip is
 different from skip_deliveries). Hotfix is in

Ticket URL: <http://tracker.icir.org/bro/ticket/348>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list