patch for Bro release 0.7a175

Vern Paxson vern at icir.org
Fri Sep 20 12:54:27 PDT 2002 

The 0.7a175 release had a serious bug in it, in which a malformed TCP 
option could wedge Bro.  This is fixed in the 0.7a175b release, now
available from:

	ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a175b.tar.gz

I've also appended a patch for the 0.7a175 sources.

More generally, I want to start moving towards the notion of "stable"
versus "current" releases, where "stable" releases just have bug fixes
applied to them, and no new features.  In light of this, the above
is also available as:

	ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7-stable.tar.gz

- Vern


*** TCP.cc.ORIG	Tue Aug 27 15:47:09 2002
--- TCP.cc.NEW	Thu Sep 19 22:49:27 2002
***************
*** 857,868 ****
  	int SACK = 0;
  
  	// Parse TCP options.
! 	char* options = (char*) tcp + sizeof(struct tcphdr);
! 	char* opt_end = (char*) tcp + tcp->th_off * 4;
  
  	while ( options < opt_end )
  		{
! 		int opt = options[0];
  
  		if ( opt == TCPOPT_EOL )
  			// All done - could flag if more junk left over ....
--- 898,909 ----
  	int SACK = 0;
  
  	// Parse TCP options.
! 	u_char* options = (u_char*) tcp + sizeof(struct tcphdr);
! 	u_char* opt_end = (u_char*) tcp + tcp->th_off * 4;
  
  	while ( options < opt_end )
  		{
! 		unsigned int opt = options[0];
  
  		if ( opt == TCPOPT_EOL )
  			// All done - could flag if more junk left over ....
***************
*** 878,899 ****
  			// We've run off the end, no room for the length.
  			break;
  
! 		int opt_len = options[1];
  
  		if ( options + opt_len >= opt_end )
  			// No room for rest of option.
  			break;
  
  		switch ( opt ) {
  		case TCPOPT_SACK_PERMITTED:
  			SACK = 1;
  			break;
  
  		case TCPOPT_MAXSEG:
  			MSS = (options[2] << 8) | options[3];
  			break;
  
  		case 3: /* TCPOPT_WSCALE */
  			winscale = options[2];
  			break;
  
--- 919,950 ----
  			// We've run off the end, no room for the length.
  			break;
  
! 		unsigned int opt_len = options[1];
  
  		if ( options + opt_len >= opt_end )
  			// No room for rest of option.
  			break;
  
+ 		if ( opt_len == 0 )
+ 			// Trashed length field.
+ 			break;
+ 
  		switch ( opt ) {
  		case TCPOPT_SACK_PERMITTED:
  			SACK = 1;
  			break;
  
  		case TCPOPT_MAXSEG:
+ 			if ( opt_len < 4 )
+ 				break;	// bad length
+ 
  			MSS = (options[2] << 8) | options[3];
  			break;
  
  		case 3: /* TCPOPT_WSCALE */
+ 			if ( opt_len < 3 )
+ 				break;	// bad length
+ 
  			winscale = options[2];
  			break;

More information about the Bro mailing list