Skip to content
This repository
Browse code

Fix: Possible segfault in spo_database

     when the decoded IP header is supposed to have a TCP/UDP packet but
     the decoded packet does not contain such information.
     A pointer validation check has been added and behavior has been
     changed for ICMP handling which was already considering this case but
     would lead to a processing fault. (DB_DEBUG information messages
     where also added).

Bumped: Build to 319
  • Loading branch information...
commit 1e55588effe1a092f227ab956137b984111801d0 1 parent 722737a
Eric Lauzon binf authored

Showing 2 changed files with 161 additions and 141 deletions. Show diff stats Hide diff stats

  1. +1 1  src/barnyard2.h
  2. +160 140 src/output-plugins/spo_database.c
2  src/barnyard2.h
@@ -63,7 +63,7 @@
63 63 #define VER_MAJOR "2"
64 64 #define VER_MINOR "1"
65 65 #define VER_REVISION "11"
66   -#define VER_BUILD "318"
  66 +#define VER_BUILD "319"
67 67
68 68 #define STD_BUF 1024
69 69
300 src/output-plugins/spo_database.c
@@ -1917,14 +1917,14 @@ int dbProcessEventInformation(DatabaseData *data,Packet *p,
1917 1917
1918 1918 case IPPROTO_ICMP:
1919 1919
1920   - if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
1921   - {
1922   - goto bad_query;
1923   - }
1924   -
1925 1920 /* IPPROTO_ICMP */
1926 1921 if(p->icmph)
1927 1922 {
  1923 + if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
  1924 + {
  1925 + goto bad_query;
  1926 + }
  1927 +
1928 1928 /*** Build a query for the ICMP Header ***/
1929 1929 if(data->detail)
1930 1930 {
@@ -1961,10 +1961,11 @@ int dbProcessEventInformation(DatabaseData *data,Packet *p,
1961 1961 }
1962 1962 else
1963 1963 {
1964   - LogMessage("[%s()], unable to build query, IP header tell's us its an ICMP packet but "
1965   - "there is not icmp header in the decoded packet ... \n",
1966   - __FUNCTION__);
1967   - goto bad_query;
  1964 +
  1965 + DEBUG_WRAP(DebugMessage(DB_DEBUG,
  1966 + "[%s()], unable to build query, IP header tell's us its an ICMP packet but "
  1967 + "there is not ICMP header in the decoded packet ... \n",
  1968 + __FUNCTION__));
1968 1969 }
1969 1970 break;
1970 1971 /* IPPROTO_ICMP */
@@ -1973,176 +1974,195 @@ int dbProcessEventInformation(DatabaseData *data,Packet *p,
1973 1974 /* IPPROTO_TCP */
1974 1975 case IPPROTO_TCP:
1975 1976
1976   - if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
  1977 + if(p->tcph)
1977 1978 {
1978   - goto bad_query;
1979   - }
1980   -
1981   - /*** Build a query for the TCP Header ***/
1982   - if(data->detail)
1983   - {
1984   - if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
1985   - "INSERT INTO "
1986   - "tcphdr (sid, cid, tcp_sport, tcp_dport, "
1987   - "tcp_seq, tcp_ack, tcp_off, tcp_res, "
1988   - "tcp_flags, tcp_win, tcp_csum, tcp_urp) "
1989   - "VALUES (%u,%u,%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u);",
1990   - data->sid,
1991   - data->cid,
1992   - ntohs(p->tcph->th_sport),
1993   - ntohs(p->tcph->th_dport),
1994   - (u_long)ntohl(p->tcph->th_seq),
1995   - (u_long)ntohl(p->tcph->th_ack),
1996   - TCP_OFFSET(p->tcph),
1997   - TCP_X2(p->tcph),
1998   - p->tcph->th_flags,
1999   - ntohs(p->tcph->th_win),
2000   - ntohs(p->tcph->th_sum),
2001   - ntohs(p->tcph->th_urp))) != SNORT_SNPRINTF_SUCCESS)
  1979 + if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
2002 1980 {
2003 1981 goto bad_query;
2004 1982 }
2005   - }
2006   - else
2007   - {
2008   - if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
2009   - "INSERT INTO "
2010   - "tcphdr (sid,cid,tcp_sport,tcp_dport,tcp_flags) "
2011   - "VALUES (%u,%u,%u,%u,%u);",
2012   - data->sid,
2013   - data->cid,
2014   - ntohs(p->tcph->th_sport),
2015   - ntohs(p->tcph->th_dport),
2016   - p->tcph->th_flags)) != SNORT_SNPRINTF_SUCCESS)
  1983 +
  1984 + /*** Build a query for the TCP Header ***/
  1985 + if(data->detail)
2017 1986 {
2018   - goto bad_query;
  1987 + if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
  1988 + "INSERT INTO "
  1989 + "tcphdr (sid, cid, tcp_sport, tcp_dport, "
  1990 + "tcp_seq, tcp_ack, tcp_off, tcp_res, "
  1991 + "tcp_flags, tcp_win, tcp_csum, tcp_urp) "
  1992 + "VALUES (%u,%u,%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u);",
  1993 + data->sid,
  1994 + data->cid,
  1995 + ntohs(p->tcph->th_sport),
  1996 + ntohs(p->tcph->th_dport),
  1997 + (u_long)ntohl(p->tcph->th_seq),
  1998 + (u_long)ntohl(p->tcph->th_ack),
  1999 + TCP_OFFSET(p->tcph),
  2000 + TCP_X2(p->tcph),
  2001 + p->tcph->th_flags,
  2002 + ntohs(p->tcph->th_win),
  2003 + ntohs(p->tcph->th_sum),
  2004 + ntohs(p->tcph->th_urp))) != SNORT_SNPRINTF_SUCCESS)
  2005 + {
  2006 + goto bad_query;
  2007 + }
2019 2008 }
2020   - }
2021   -
2022   - if(data->detail)
2023   - {
  2009 + else
  2010 + {
  2011 + if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
  2012 + "INSERT INTO "
  2013 + "tcphdr (sid,cid,tcp_sport,tcp_dport,tcp_flags) "
  2014 + "VALUES (%u,%u,%u,%u,%u);",
  2015 + data->sid,
  2016 + data->cid,
  2017 + ntohs(p->tcph->th_sport),
  2018 + ntohs(p->tcph->th_dport),
  2019 + p->tcph->th_flags)) != SNORT_SNPRINTF_SUCCESS)
  2020 + {
  2021 + goto bad_query;
  2022 + }
  2023 + }
  2024 +
  2025 + if(data->detail)
  2026 + {
2024 2027 /*** Build the query for TCP Options ***/
2025   - for(i=0; i < (int)(p->tcp_option_count); i++)
2026   - {
2027   -
2028   - if( p->tcp_options[i].len > 0)
  2028 + for(i=0; i < (int)(p->tcp_option_count); i++)
2029 2029 {
2030   - if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
2031   - {
2032   - goto bad_query;
2033   - }
2034   -
2035   - if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII))
  2030 +
  2031 + if( p->tcp_options[i].len > 0)
2036 2032 {
2037   - //packet_data = fasthex(p->tcp_options[i].data, p->tcp_options[i].len);
2038   - if( fasthex_STATIC(p->tcp_options[i].data, p->tcp_options[i].len,data->PacketData))
  2033 + if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
2039 2034 {
2040   - /* XXX */
2041 2035 goto bad_query;
2042 2036 }
2043   - }
2044   - else
2045   - {
2046   - //packet_data = base64(p->tcp_options[i].data, p->tcp_options[i].len);
2047   - if( base64_STATIC(p->tcp_options[i].data, p->tcp_options[i].len,data->PacketData))
  2037 +
  2038 + if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII))
2048 2039 {
  2040 + //packet_data = fasthex(p->tcp_options[i].data, p->tcp_options[i].len);
  2041 + if( fasthex_STATIC(p->tcp_options[i].data, p->tcp_options[i].len,data->PacketData))
  2042 + {
2049 2043 /* XXX */
2050   - goto bad_query;
  2044 + goto bad_query;
  2045 + }
2051 2046 }
2052   - }
2053   -
2054   -
2055   - if(data->dbtype_id == DB_ORACLE)
2056   - {
2057   - /* Oracle field BLOB type case. We append unescaped
2058   - * opt_data data after query, which later in Insert()
2059   - * will be cut off and uploaded with OCIBindByPos().
2060   - */
2061   - if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
2062   - "INSERT INTO "
2063   - "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
2064   - "VALUES (%u,%u,%u,%u,%u,%u,:1);|%s",
2065   - data->sid,
2066   - data->cid,
2067   - i,
2068   - 6,
2069   - p->tcp_options[i].code,
2070   - p->tcp_options[i].len,
2071   - //packet_data)) != SNORT_SNPRINTF_SUCCESS)
2072   - data->PacketData)) != SNORT_SNPRINTF_SUCCESS)
  2047 + else
2073 2048 {
2074   - goto bad_query;
2075   - }
  2049 + //packet_data = base64(p->tcp_options[i].data, p->tcp_options[i].len);
  2050 + if( base64_STATIC(p->tcp_options[i].data, p->tcp_options[i].len,data->PacketData))
  2051 + {
  2052 + /* XXX */
  2053 + goto bad_query;
  2054 + }
  2055 + }
2076 2056
2077 2057
2078   - }
2079   - else
2080   - {
2081   - if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
2082   - "INSERT INTO "
2083   - "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
2084   - "VALUES (%u,%u,%u,%u,%u,%u,'%s');",
2085   - data->sid,
2086   - data->cid,
2087   - i,
2088   - 6,
2089   - p->tcp_options[i].code,
2090   - p->tcp_options[i].len,
2091   - //packet_data)) != SNORT_SNPRINTF_SUCCESS)
2092   - data->PacketData)) != SNORT_SNPRINTF_SUCCESS)
  2058 + if(data->dbtype_id == DB_ORACLE)
2093 2059 {
2094   - goto bad_query;
  2060 + /* Oracle field BLOB type case. We append unescaped
  2061 + * opt_data data after query, which later in Insert()
  2062 + * will be cut off and uploaded with OCIBindByPos().
  2063 + */
  2064 + if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
  2065 + "INSERT INTO "
  2066 + "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
  2067 + "VALUES (%u,%u,%u,%u,%u,%u,:1);|%s",
  2068 + data->sid,
  2069 + data->cid,
  2070 + i,
  2071 + 6,
  2072 + p->tcp_options[i].code,
  2073 + p->tcp_options[i].len,
  2074 + //packet_data)) != SNORT_SNPRINTF_SUCCESS)
  2075 + data->PacketData)) != SNORT_SNPRINTF_SUCCESS)
  2076 + {
  2077 + goto bad_query;
  2078 + }
  2079 + }
  2080 + else
  2081 + {
  2082 + if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
  2083 + "INSERT INTO "
  2084 + "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
  2085 + "VALUES (%u,%u,%u,%u,%u,%u,'%s');",
  2086 + data->sid,
  2087 + data->cid,
  2088 + i,
  2089 + 6,
  2090 + p->tcp_options[i].code,
  2091 + p->tcp_options[i].len,
  2092 + //packet_data)) != SNORT_SNPRINTF_SUCCESS)
  2093 + data->PacketData)) != SNORT_SNPRINTF_SUCCESS)
  2094 + {
  2095 + goto bad_query;
  2096 + }
2095 2097 }
2096 2098 }
2097 2099 }
2098 2100 }
2099   - }
  2101 + }
  2102 + else
  2103 + {
  2104 + DEBUG_WRAP(DebugMessage(DB_DEBUG,
  2105 + "[%s()], unable to build query, IP header tell's us its an TCP packet but "
  2106 + "there is not TCP header in the decoded packet ... \n",
  2107 + __FUNCTION__));
  2108 + }
  2109 +
2100 2110 break;
2101 2111 /* IPPROTO_TCP */
2102 2112
2103 2113
2104 2114 /* IPPROTO_UDP */
2105 2115 case IPPROTO_UDP:
2106   -
2107   - /*** Build the query for the UDP Header ***/
2108   - if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
2109   - {
2110   - goto bad_query;
2111   - }
2112   -
2113   - if(data->detail)
  2116 +
  2117 + if(p->udph)
2114 2118 {
2115   - if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
2116   - "INSERT INTO "
2117   - "udphdr (sid, cid, udp_sport, udp_dport, udp_len, udp_csum) "
2118   - "VALUES (%u, %u, %u, %u, %u, %u);",
2119   - data->sid,
2120   - data->cid,
2121   - ntohs(p->udph->uh_sport),
2122   - ntohs(p->udph->uh_dport),
2123   - ntohs(p->udph->uh_len),
2124   - ntohs(p->udph->uh_chk))) != SNORT_SNPRINTF_SUCCESS)
  2119 + /*** Build the query for the UDP Header ***/
  2120 + if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
2125 2121 {
2126 2122 goto bad_query;
2127 2123 }
  2124 +
  2125 + if(data->detail)
  2126 + {
  2127 + if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
  2128 + "INSERT INTO "
  2129 + "udphdr (sid, cid, udp_sport, udp_dport, udp_len, udp_csum) "
  2130 + "VALUES (%u, %u, %u, %u, %u, %u);",
  2131 + data->sid,
  2132 + data->cid,
  2133 + ntohs(p->udph->uh_sport),
  2134 + ntohs(p->udph->uh_dport),
  2135 + ntohs(p->udph->uh_len),
  2136 + ntohs(p->udph->uh_chk))) != SNORT_SNPRINTF_SUCCESS)
  2137 + {
  2138 + goto bad_query;
  2139 + }
  2140 + }
  2141 + else
  2142 + {
  2143 + if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
  2144 + "INSERT INTO "
  2145 + "udphdr (sid, cid, udp_sport, udp_dport) "
  2146 + "VALUES (%u, %u, %u, %u);",
  2147 + data->sid,
  2148 + data->cid,
  2149 + ntohs(p->udph->uh_sport),
  2150 + ntohs(p->udph->uh_dport))) != SNORT_SNPRINTF_SUCCESS)
  2151 + {
  2152 + goto bad_query;
  2153 + }
  2154 + }
2128 2155 }
2129 2156 else
2130 2157 {
2131   - if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
2132   - "INSERT INTO "
2133   - "udphdr (sid, cid, udp_sport, udp_dport) "
2134   - "VALUES (%u, %u, %u, %u);",
2135   - data->sid,
2136   - data->cid,
2137   - ntohs(p->udph->uh_sport),
2138   - ntohs(p->udph->uh_dport))) != SNORT_SNPRINTF_SUCCESS)
2139   - {
2140   - goto bad_query;
2141   - }
  2158 + DEBUG_WRAP(DebugMessage(DB_DEBUG,
  2159 + "[%s()], unable to build query, IP header tell's us its an UDP packet but "
  2160 + "there is not UDP header in the decoded packet ... \n",
  2161 + __FUNCTION__));
2142 2162 }
2143 2163 break;
2144 2164 /* IPPROTO_UDP */
2145   -
  2165 +
2146 2166
2147 2167 /* DEFAULT */
2148 2168 default:

0 comments on commit 1e55588

Please sign in to comment.
Something went wrong with that request. Please try again.