[Bro-Dev] [JIRA] (BIT-1465) heap overflow in GetTimeFromAsn1

Justin Azoff (JIRA) jira at bro-tracker.atlassian.net
Thu Aug 20 14:00:00 PDT 2015 

Justin Azoff created BIT-1465:
---------------------------------

             Summary: heap overflow in GetTimeFromAsn1
                 Key: BIT-1465
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1465
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: Bro
    Affects Versions: 2.4
            Reporter: Justin Azoff
         Attachments: gettimefromasn_bug.pcap

This pcap requires -C

{code}
# bro -C -r gettimefromasn_bug.pcap
=================================================================
==18126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001c0001 at pc 0x000000d1cd37 bp 0x7fffe6f622f0 sp 0x7fffe6f622e8
READ of size 1 at 0x6020001c0001 thread T0
    #0 0xd1cd36 in file_analysis::X509::GetTimeFromAsn1(asn1_string_st const*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:578:7
    #1 0xd1b632 in file_analysis::X509::ParseCertificate(file_analysis::X509Val*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:134:31
    #2 0xd1a93c in file_analysis::X509::EndOfFile() /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:55:27
    #3 0xdd5513 in file_analysis::File::EndOfFile() /scratch/bro-clean/src/file_analysis/File.cc:522:10
    #4 0xdc83e3 in file_analysis::Manager::RemoveFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /scratch/bro-clean/src/file_analysis/Manager.cc:395:2
    #5 0xbf3287 in binpac::RDP::RDP_Flow::proc_x509_cert_data(binpac::RDP::X509_Cert_Data*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3667:3
    #6 0xbf288e in binpac::RDP::X509_Cert_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3390:10
    #7 0xbf15bc in binpac::RDP::X509::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3316:25
    #8 0xbefefc in binpac::RDP::Server_Certificate::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3022:19
    #9 0xbe897b in binpac::RDP::Server_Security_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2935:2
    #10 0xbe664a in binpac::RDP::Data_Block::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1176:30
    #11 0xbe57c4 in binpac::RDP::Server_Header::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2513:31
    #12 0xbe38a8 in binpac::RDP::DT_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1010:21
    #13 0xbe16c7 in binpac::RDP::COTP::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:899:19
    #14 0xbe10cd in binpac::RDP::TPKT::ParseBuffer(binpac::FlowBuffer*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:787:20
    #15 0xbf3d4b in binpac::RDP::RDP_Flow::NewData(unsigned char const*, unsigned char const*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3436:35
    #16 0xbd9b33 in analyzer::rdp::RDP_Analyzer::DeliverStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/rdp/RDP.cc:80:4
    #17 0xe2506c in analyzer::Analyzer::NextStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:245:4
    #18 0xe26530 in analyzer::Analyzer::ForwardStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:331:4
    #19 0xce012d in analyzer::tcp::TCP_Reassembler::DeliverBlock(unsigned long, int, unsigned char const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:647:2
    #20 0xcdfb77 in analyzer::tcp::TCP_Reassembler::BlockInserted(DataBlock*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:393:4
    #21 0xce0a4a in analyzer::tcp::TCP_Reassembler::DataSent(double, unsigned long, int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:492:2
    #22 0xcdc26d in analyzer::tcp::TCP_Endpoint::DataSent(double, unsigned long, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Endpoint.cc:205:12
    #23 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverData(double, unsigned char const*, int, int, IP_Hdr const*, tcphdr const*, analyzer::tcp::TCP_Endpoint*, unsigned long, int, analyzer::tcp::TCP_Flags) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:982:9
    #24 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1381
    #25 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4
    #26 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3
    #27 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2
    #28 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3
    #29 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2
    #30 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3
    #31 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4
    #32 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3
    #33 0x7f3b3edbdb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287
    #34 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c)

{code}



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-01-193#70101)

More information about the bro-dev mailing list