[Bro-Dev] [JIRA] (BIT-1464) heap overflow in build_syn_packet_val

Justin Azoff (JIRA) jira at bro-tracker.atlassian.net
Fri Aug 28 20:16:01 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21809#comment-21809 ] 

Justin Azoff commented on BIT-1464:

Yeah, still get the same backtrace here.

I think the problem is that bro is casting a buffer that is too small to a tcphdr.

The 2nd packet in the pcap only has a length of 60 instead of the minimum length of 64 for a tcp packet.

I don't think you can route such a packet over the internet at least :-)

> heap overflow in build_syn_packet_val
> -------------------------------------
>                 Key: BIT-1464
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1464
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.4
>            Reporter: Justin Azoff
>         Attachments: build_syn_packet_val_bug.pcap
> {code}
> # bro -r build_syn_packet_val_bug.pcap
> =================================================================
> ==15198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000e45266 at pc 0x000000cd6731 bp 0x7fff061fe1b0 sp 0x7fff061fe1a8
> READ of size 1 at 0x607000e45266 thread T0
>     #0 0xcd6730 in build_syn_packet_val(int, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:52:3
>     #1 0xcd6730 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1274
>     #2 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4
>     #3 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3
>     #4 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2
>     #5 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3
>     #6 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2
>     #7 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3
>     #8 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4
>     #9 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3
>     #10 0x7f204146cb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287
>     #11 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c)
> {code}

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list