[Snort-devel] Snort-devel Digest, Vol 7, Issue 3

prasanth prasanth at bbnl.co.in
Sat Dec 23 04:53:11 EST 2017


  Hi ,

  thanks  for your reply.. please send me the patch and let me know how 
to install...

Regards

Prasanth


On 12/22/2017 10:30 PM, snort-devel-request at lists.snort.org wrote:
> Send Snort-devel mailing list submissions to
> 	snort-devel at lists.snort.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.snort.org/mailman/listinfo/snort-devel
> or, via email, send a message with subject or body 'help' to
> 	snort-devel-request at lists.snort.org
>
> You can reach the person managing the list at
> 	snort-devel-owner at lists.snort.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-devel digest..."
>
>
> Today's Topics:
>
>     1. Re: integer overflow issue in PAWS window checks (Nilesh K. Patel)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 22 Dec 2017 12:45:20 +0000
> From: "Nilesh K. Patel" <Nilesh.k.Patel at Sophos.com>
> To: "snort-devel at lists.snort.org" <snort-devel at lists.snort.org>
> Subject: Re: [Snort-devel] integer overflow issue in PAWS window
> 	checks
> Message-ID: <3ab17b81301540c0a20a11a14b1c92b2 at AHM-EXCH4A.green.sophos>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> There is a issue in PAWS window checks in snort_steam_tcp.c
> Consider you got big timestamp in last segment and  current segment has 0(zero) or  less timestamp.
> Ex.
> ts_last = 2331162992 and tdb->ts = 0 (bad segment) and dry run below code.
>
>              if (validate_timestamp)
>              {
>                  int result = 0;
>                  if (listener->tcp_policy->policy == STREAM_POLICY_LINUX)
>                  {
>                      /* Linux 2.6 accepts timestamp values that are off
>                       * by one. */
>                      result = (int)((tdb->ts - talker->ts_last) + 1);
>                  }
>                  else
>                  {
>                      result = (int)(tdb->ts - talker->ts_last);
>                  }
>
> Here we expect result should negative as tdb->ts is less than ts_last. But as last segment got big timestamp which actually negative number in 32bit integer and if we do 0 - 2331162992 will become positive number 1963804304, but expect  < 0.
>
>                  if(result < 0)
>                  {
>                      STREAM_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
>                                  "Packet outside PAWS window, dropping\n"););
>                      /* bail, we've got a packet outside the PAWS window! */
>                      //Discard();
>                      *eventcode |= EVENT_BAD_TIMESTAMP;
>                      if(listener->tcp_policy->flags & STREAM_CONFIG_ENABLE_ALERTS)
>                      NormalDropPacket(p);
>                      return ACTION_BAD_PKT;
>                  }
>
> It must fall in this if and drop this bad segment, however it is bypassing this checks due to wrongly handled comparison.
> There are other checks after this, which actually updates the timestamp wrongly.
>
> As I see this should be change or am I missing something here. Happy to give patch if you agree.
>
> Thanks,
> Nilesh
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20171222/df7f3afe/attachment-0001.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
>
> ------------------------------
>
> End of Snort-devel Digest, Vol 7, Issue 3
> *****************************************



More information about the Snort-devel mailing list