[Bro-Dev] [JIRA] (BIT-1464) heap overflow in build_syn_packet_val

Johanna Amann (JIRA) jira at bro-tracker.atlassian.net
Fri Aug 28 17:24:01 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21808#comment-21808 ] 

Johanna Amann commented on BIT-1464:

Could you please verify this one again?

I cannot reproduce it with the attached trace. I compiled Bro with -fsanitize=address for c,cpp and ldflags. Compiler is 

$ clang --version
clang version 3.5.2 
Target: x86_64-unknown-linux-gnu
Thread model: posix

Full output when run is:
$ bro -r build_syn_packet_val_bug.pcap 
1370797808.455532 warning in /home/johanna/bro/install-master/share/bro/base/misc/find-filtered-trace.bro, line 48: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.

I also took a look at the code and did not really get far - the line it points to (52 in tcp.cc) seems to be right after a check that checks that enough data is present in the header.

> heap overflow in build_syn_packet_val
> -------------------------------------
>                 Key: BIT-1464
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1464
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.4
>            Reporter: Justin Azoff
>         Attachments: build_syn_packet_val_bug.pcap
> {code}
> # bro -r build_syn_packet_val_bug.pcap
> =================================================================
> ==15198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000e45266 at pc 0x000000cd6731 bp 0x7fff061fe1b0 sp 0x7fff061fe1a8
> READ of size 1 at 0x607000e45266 thread T0
>     #0 0xcd6730 in build_syn_packet_val(int, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:52:3
>     #1 0xcd6730 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1274
>     #2 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4
>     #3 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3
>     #4 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2
>     #5 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3
>     #6 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2
>     #7 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3
>     #8 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4
>     #9 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3
>     #10 0x7f204146cb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287
>     #11 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c)
> {code}

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list