[Bro-Dev] [JIRA] (BIT-1465) heap overflow in GetTimeFromAsn1

Johanna Amann (JIRA) jira at bro-tracker.atlassian.net
Thu Aug 27 21:56:00 PDT 2015


    [ https://bro-tracker.atlassian.net/browse/BIT-1465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21805#comment-21805 ] 

Johanna Amann commented on BIT-1465:
------------------------------------

topic/johanna/BIT-1465 fixes this and is generally much more cautious reading parsing ASN.1 dates.

Sorry, no testcases at the moment; I did not manage to trigger any of the warning messages that are given in the sourcecode through openssl sanitation of the input data.

Justin, could you take a look if this fixes the problem for you too? I was never to trigger it with your trace.

> heap overflow in GetTimeFromAsn1
> --------------------------------
>
>                 Key: BIT-1465
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1465
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.4
>            Reporter: Justin Azoff
>            Assignee: Johanna Amann
>         Attachments: gettimefromasn_bug.pcap
>
>
> This pcap requires -C
> {code}
> # bro -C -r gettimefromasn_bug.pcap
> =================================================================
> ==18126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001c0001 at pc 0x000000d1cd37 bp 0x7fffe6f622f0 sp 0x7fffe6f622e8
> READ of size 1 at 0x6020001c0001 thread T0
>     #0 0xd1cd36 in file_analysis::X509::GetTimeFromAsn1(asn1_string_st const*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:578:7
>     #1 0xd1b632 in file_analysis::X509::ParseCertificate(file_analysis::X509Val*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:134:31
>     #2 0xd1a93c in file_analysis::X509::EndOfFile() /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:55:27
>     #3 0xdd5513 in file_analysis::File::EndOfFile() /scratch/bro-clean/src/file_analysis/File.cc:522:10
>     #4 0xdc83e3 in file_analysis::Manager::RemoveFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /scratch/bro-clean/src/file_analysis/Manager.cc:395:2
>     #5 0xbf3287 in binpac::RDP::RDP_Flow::proc_x509_cert_data(binpac::RDP::X509_Cert_Data*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3667:3
>     #6 0xbf288e in binpac::RDP::X509_Cert_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3390:10
>     #7 0xbf15bc in binpac::RDP::X509::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3316:25
>     #8 0xbefefc in binpac::RDP::Server_Certificate::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3022:19
>     #9 0xbe897b in binpac::RDP::Server_Security_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2935:2
>     #10 0xbe664a in binpac::RDP::Data_Block::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1176:30
>     #11 0xbe57c4 in binpac::RDP::Server_Header::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2513:31
>     #12 0xbe38a8 in binpac::RDP::DT_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1010:21
>     #13 0xbe16c7 in binpac::RDP::COTP::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:899:19
>     #14 0xbe10cd in binpac::RDP::TPKT::ParseBuffer(binpac::FlowBuffer*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:787:20
>     #15 0xbf3d4b in binpac::RDP::RDP_Flow::NewData(unsigned char const*, unsigned char const*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3436:35
>     #16 0xbd9b33 in analyzer::rdp::RDP_Analyzer::DeliverStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/rdp/RDP.cc:80:4
>     #17 0xe2506c in analyzer::Analyzer::NextStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:245:4
>     #18 0xe26530 in analyzer::Analyzer::ForwardStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:331:4
>     #19 0xce012d in analyzer::tcp::TCP_Reassembler::DeliverBlock(unsigned long, int, unsigned char const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:647:2
>     #20 0xcdfb77 in analyzer::tcp::TCP_Reassembler::BlockInserted(DataBlock*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:393:4
>     #21 0xce0a4a in analyzer::tcp::TCP_Reassembler::DataSent(double, unsigned long, int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:492:2
>     #22 0xcdc26d in analyzer::tcp::TCP_Endpoint::DataSent(double, unsigned long, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Endpoint.cc:205:12
>     #23 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverData(double, unsigned char const*, int, int, IP_Hdr const*, tcphdr const*, analyzer::tcp::TCP_Endpoint*, unsigned long, int, analyzer::tcp::TCP_Flags) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:982:9
>     #24 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1381
>     #25 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4
>     #26 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3
>     #27 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2
>     #28 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3
>     #29 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2
>     #30 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3
>     #31 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4
>     #32 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3
>     #33 0x7f3b3edbdb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287
>     #34 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c)
> {code}



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-02-247#70102)


More information about the bro-dev mailing list