Permalink
Browse files

Patch OOB write in content-line analyzer.

A combination of packets can trigger an out of bound write of '0' byte
in the content-line analyzer.

This bug was found by Frank Meier.

Addresses BIT-1856.
  • Loading branch information...
0xxon committed Oct 16, 2017
1 parent 70456d9 commit 6c0f101a62489b1c5927b4ed63b0e1d37db40282
Showing with 10 additions and 0 deletions.
  1. +10 −0 src/analyzer/protocol/tcp/ContentLine.cc
@@ -250,6 +250,16 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data)
case '\n':
if ( last_char == '\r' )
{
// Weird corner-case:
// this can happen if we see a \r at the end of a packet where crlf is
// set to CR_as_EOL | LF_as_EOL, with the packet causing crlf to be set to
// 0 and the next packet beginning with a \n. In this case we just swallow
// the character and re-set last_char.
if ( offset == 0 )
{
last_char = c;
break;
}
--offset; // remove '\r'
EMIT_LINE
}

0 comments on commit 6c0f101

Please sign in to comment.