[Snort-devel] integer overflow issue in PAWS window checks

Nilesh K. Patel Nilesh.k.Patel at Sophos.com
Fri Dec 22 07:45:20 EST 2017


Hi,

There is a issue in PAWS window checks in snort_steam_tcp.c
Consider you got big timestamp in last segment and  current segment has 0(zero) or  less timestamp.
Ex.
ts_last = 2331162992 and tdb->ts = 0 (bad segment) and dry run below code.

            if (validate_timestamp)
            {
                int result = 0;
                if (listener->tcp_policy->policy == STREAM_POLICY_LINUX)
                {
                    /* Linux 2.6 accepts timestamp values that are off
                     * by one. */
                    result = (int)((tdb->ts - talker->ts_last) + 1);
                }
                else
                {
                    result = (int)(tdb->ts - talker->ts_last);
                }

Here we expect result should negative as tdb->ts is less than ts_last. But as last segment got big timestamp which actually negative number in 32bit integer and if we do 0 - 2331162992 will become positive number 1963804304, but expect  < 0.

                if(result < 0)
                {
                    STREAM_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
                                "Packet outside PAWS window, dropping\n"););
                    /* bail, we've got a packet outside the PAWS window! */
                    //Discard();
                    *eventcode |= EVENT_BAD_TIMESTAMP;
                    if(listener->tcp_policy->flags & STREAM_CONFIG_ENABLE_ALERTS)
                    NormalDropPacket(p);
                    return ACTION_BAD_PKT;
                }

It must fall in this if and drop this bad segment, however it is bypassing this checks due to wrongly handled comparison.
There are other checks after this, which actually updates the timestamp wrongly.

As I see this should be change or am I missing something here. Happy to give patch if you agree.

Thanks,
Nilesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20171222/df7f3afe/attachment.html>


More information about the Snort-devel mailing list