Snort mailing list archives
Re: Snort-devel Digest, Vol 7, Issue 3
From: prasanth <prasanth () bbnl co in>
Date: Sat, 23 Dec 2017 15:23:11 +0530
Hi ,thanks for your reply.. please send me the patch and let me know how to install...
Regards Prasanth On 12/22/2017 10:30 PM, snort-devel-request () lists snort org wrote:
Send Snort-devel mailing list submissions to
snort-devel () lists snort org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.snort.org/mailman/listinfo/snort-devel
or, via email, send a message with subject or body 'help' to
snort-devel-request () lists snort org
You can reach the person managing the list at
snort-devel-owner () lists snort org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-devel digest..."
Today's Topics:
1. Re: integer overflow issue in PAWS window checks (Nilesh K. Patel)
----------------------------------------------------------------------
Message: 1
Date: Fri, 22 Dec 2017 12:45:20 +0000
From: "Nilesh K. Patel" <Nilesh.k.Patel () Sophos com>
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: Re: [Snort-devel] integer overflow issue in PAWS window
checks
Message-ID: <3ab17b81301540c0a20a11a14b1c92b2@AHM-EXCH4A.green.sophos>
Content-Type: text/plain; charset="us-ascii"
Hi,
There is a issue in PAWS window checks in snort_steam_tcp.c
Consider you got big timestamp in last segment and current segment has 0(zero) or less timestamp.
Ex.
ts_last = 2331162992 and tdb->ts = 0 (bad segment) and dry run below code.
if (validate_timestamp)
{
int result = 0;
if (listener->tcp_policy->policy == STREAM_POLICY_LINUX)
{
/* Linux 2.6 accepts timestamp values that are off
* by one. */
result = (int)((tdb->ts - talker->ts_last) + 1);
}
else
{
result = (int)(tdb->ts - talker->ts_last);
}
Here we expect result should negative as tdb->ts is less than ts_last. But as last segment got big timestamp which
actually negative number in 32bit integer and if we do 0 - 2331162992 will become positive number 1963804304, but expect
< 0.
if(result < 0)
{
STREAM_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
"Packet outside PAWS window, dropping\n"););
/* bail, we've got a packet outside the PAWS window! */
//Discard();
*eventcode |= EVENT_BAD_TIMESTAMP;
if(listener->tcp_policy->flags & STREAM_CONFIG_ENABLE_ALERTS)
NormalDropPacket(p);
return ACTION_BAD_PKT;
}
It must fall in this if and drop this bad segment, however it is bypassing this checks due to wrongly handled
comparison.
There are other checks after this, which actually updates the timestamp wrongly.
As I see this should be change or am I missing something here. Happy to give patch if you agree.
Thanks,
Nilesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20171222/df7f3afe/attachment-0001.html>
------------------------------
Subject: Digest Footer
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel
------------------------------
End of Snort-devel Digest, Vol 7, Issue 3
*****************************************
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-devel Digest, Vol 7, Issue 3 prasanth (Dec 23)