[Snort-devel] inBounds() fix less or equal to end ptr

Todd Wease twease at ...402...
Sun Jan 25 18:09:24 EST 2009


Hi rmkml,

The bytes in the payload are ordered as such, e.g. a 5 byte payload:

0  1  2  3  4  5
----------------
|  |  |  |  |  |
----------------

"isdataat: 5;" will return false.

The payload can be seen as a zero based array.  It starts at the
beginning of the payload or, if relative, at the current position in the
payload and counts off the specified number of bytes.  If there is data
at that position (at least one byte left in the payload) it returns a
match, otherwise, no match.  This is potentially open for debate, but
this is the way isdataat works currently.  The "dsize" option might be a
better choice here, although it only looks at non-stream reassembled
packets, i.e packets directly off the wire.

At any rate, the patch is incorrect and could result in a write past the
end of a buffer.

Todd


rmkml wrote:
> Hi,
> Im work with snort v2.8.3.2 (and previous) with this rule:
>  alert udp any any -> any any (msg:"work1"; isdataat:1024; sid:90005;)
> same pb with tcp rule:
>  alert tcp any any -> any any (msg:"work2"; isdataat:1024; sid:90006;)
> but this rules not match if udp/tcp packets have payload/data size
> 1024 ! With this patch (joigned diff), this rules work:
>  +++ src/bounds.h    2009-01-25 22:33:19.000000000 +0100
>  static INLINE int inBounds(const u_int8_t *start, const u_int8_t
> *end, const u_int8_t *p)
>  {
>  -    if(p >= start && p < end)
>  +    if(p >= start && p <= end)
>
> Please Credits to Crusoe Researches.
> Happy Detect!
> Rmkml
> Crusoe-Researches.com
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list