Fix: Possible segfault in spo_database

when the decoded IP header is supposed to have a TCP/UDP packet but the decoded packet does not contain such information. A pointer validation check has been added and behavior has been changed for ICMP handling which was already considering this case but would lead to a processing fault. (DB_DEBUG information messages where also added). Bumped: Build to 319
firnsy · Feb 5, 2013 · 1e55588 · 1e55588
1 parent 722737a
commit 1e55588
Show file tree

Hide file tree

Showing 2 changed files with 161 additions and 141 deletions.
diff --git a/src/barnyard2.h b/src/barnyard2.h
@@ -63,7 +63,7 @@
 #define VER_MAJOR	"2"
 #define VER_MINOR	"1"
 #define VER_REVISION	"11"
-#define VER_BUILD	"318"
+#define VER_BUILD	"319"
 
 #define STD_BUF  1024
 

diff --git a/src/output-plugins/spo_database.c b/src/output-plugins/spo_database.c
@@ -1917,14 +1917,14 @@ int dbProcessEventInformation(DatabaseData *data,Packet *p,
 
 	    case IPPROTO_ICMP:
 
-		if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
-		{
-		    goto bad_query;
-		}
-
 		/* IPPROTO_ICMP */
 		if(p->icmph)
 		{
+		    if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
+		    {
+			goto bad_query;
+		    }
+
 		    /*** Build a query for the ICMP Header ***/
 		    if(data->detail)
 		    {
@@ -1961,10 +1961,11 @@ int dbProcessEventInformation(DatabaseData *data,Packet *p,
 		}
 		else
 		{
-		    LogMessage("[%s()], unable to build query, IP header tell's us its an ICMP packet but "
-			       "there is not icmp header in the decoded packet ... \n",
-			       __FUNCTION__);
-		    goto bad_query;
+
+		    DEBUG_WRAP(DebugMessage(DB_DEBUG,
+					    "[%s()], unable to build query, IP header tell's us its an ICMP packet but "
+					    "there is not ICMP header in the decoded packet ... \n",
+					    __FUNCTION__));
 		}
 		break;
 		/* IPPROTO_ICMP */
@@ -1973,176 +1974,195 @@ int dbProcessEventInformation(DatabaseData *data,Packet *p,
 		/* IPPROTO_TCP */
 	    case IPPROTO_TCP:
 
-		if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
+		if(p->tcph)
 		{
-		    goto bad_query;
-		}
-
-                /*** Build a query for the TCP Header ***/
-                if(data->detail)
-                {
-                    if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
-				       "INSERT INTO "
-				       "tcphdr (sid, cid, tcp_sport, tcp_dport, "
-				       "tcp_seq, tcp_ack, tcp_off, tcp_res, "
-				       "tcp_flags, tcp_win, tcp_csum, tcp_urp) "
-				       "VALUES (%u,%u,%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u);",
-				       data->sid,
-				       data->cid,
-				       ntohs(p->tcph->th_sport),
-				       ntohs(p->tcph->th_dport),
-				       (u_long)ntohl(p->tcph->th_seq),
-				       (u_long)ntohl(p->tcph->th_ack),
-				       TCP_OFFSET(p->tcph),
-				       TCP_X2(p->tcph),
-				       p->tcph->th_flags,
-				       ntohs(p->tcph->th_win),
-				       ntohs(p->tcph->th_sum),
-				       ntohs(p->tcph->th_urp))) != SNORT_SNPRINTF_SUCCESS)
+		    if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
 		    {
 			goto bad_query;
 		    }
-                }
-                else
-                {
-                    if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
-				       "INSERT INTO "
-				       "tcphdr (sid,cid,tcp_sport,tcp_dport,tcp_flags) "
-				       "VALUES (%u,%u,%u,%u,%u);",
-				       data->sid,
-				       data->cid,
-				       ntohs(p->tcph->th_sport),
-				       ntohs(p->tcph->th_dport),
-				       p->tcph->th_flags))  != SNORT_SNPRINTF_SUCCESS)
+
+		    /*** Build a query for the TCP Header ***/
+		    if(data->detail)
 		    {
-                        goto bad_query;
+			if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
+					   "INSERT INTO "
+					   "tcphdr (sid, cid, tcp_sport, tcp_dport, "
+					   "tcp_seq, tcp_ack, tcp_off, tcp_res, "
+					   "tcp_flags, tcp_win, tcp_csum, tcp_urp) "
+					   "VALUES (%u,%u,%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u);",
+					   data->sid,
+					   data->cid,
+					   ntohs(p->tcph->th_sport),
+					   ntohs(p->tcph->th_dport),
+					   (u_long)ntohl(p->tcph->th_seq),
+					   (u_long)ntohl(p->tcph->th_ack),
+					   TCP_OFFSET(p->tcph),
+					   TCP_X2(p->tcph),
+					   p->tcph->th_flags,
+					   ntohs(p->tcph->th_win),
+					   ntohs(p->tcph->th_sum),
+					   ntohs(p->tcph->th_urp))) != SNORT_SNPRINTF_SUCCESS)
+			{
+			    goto bad_query;
+			}
 		    }
-                }
-
-                if(data->detail)
-                {
+		    else
+		    {
+			if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
+					   "INSERT INTO "
+					   "tcphdr (sid,cid,tcp_sport,tcp_dport,tcp_flags) "
+					   "VALUES (%u,%u,%u,%u,%u);",
+					   data->sid,
+					   data->cid,
+					   ntohs(p->tcph->th_sport),
+					   ntohs(p->tcph->th_dport),
+					   p->tcph->th_flags))  != SNORT_SNPRINTF_SUCCESS)
+			{
+			    goto bad_query;
+			}
+		    }
+
+		    if(data->detail)
+		    {
                     /*** Build the query for TCP Options ***/
-                    for(i=0; i < (int)(p->tcp_option_count); i++)
-                    {
-
-			if( p->tcp_options[i].len > 0)
+			for(i=0; i < (int)(p->tcp_option_count); i++)
 			{
-			    if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
-			    {
-				goto bad_query;
-			    }
-
-			    if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII))
+
+			    if( p->tcp_options[i].len > 0)
 			    {
-				//packet_data = fasthex(p->tcp_options[i].data, p->tcp_options[i].len);
-				if( fasthex_STATIC(p->tcp_options[i].data, p->tcp_options[i].len,data->PacketData))
+				if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
 				{
-				    /* XXX */
 				    goto bad_query;
 				}
-			    }
-			    else
-			    {
-				//packet_data = base64(p->tcp_options[i].data, p->tcp_options[i].len);
-				if( base64_STATIC(p->tcp_options[i].data, p->tcp_options[i].len,data->PacketData))
+
+				if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII))
 				{
+				    //packet_data = fasthex(p->tcp_options[i].data, p->tcp_options[i].len);
+				    if( fasthex_STATIC(p->tcp_options[i].data, p->tcp_options[i].len,data->PacketData))
+				    {
 				    /* XXX */
-				    goto bad_query;
+					goto bad_query;
+				    }
 				}
-			    }
-
-
-			    if(data->dbtype_id == DB_ORACLE)
-			    {
-				/* Oracle field BLOB type case. We append unescaped
-				 * opt_data data after query, which later in Insert()
-				 * will be cut off and uploaded with OCIBindByPos().
-				 */
-				if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
-						   "INSERT INTO "
-						   "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
-						   "VALUES (%u,%u,%u,%u,%u,%u,:1);|%s",
-						   data->sid,
-						   data->cid,
-						   i,
-						   6,
-						   p->tcp_options[i].code,
-						   p->tcp_options[i].len,
-						   //packet_data))  != SNORT_SNPRINTF_SUCCESS)
-						   data->PacketData))  != SNORT_SNPRINTF_SUCCESS)
+				else
 				{
-				    goto bad_query;
-				}
+				    //packet_data = base64(p->tcp_options[i].data, p->tcp_options[i].len);
+				    if( base64_STATIC(p->tcp_options[i].data, p->tcp_options[i].len,data->PacketData))
+				    {
+				    /* XXX */
+					goto bad_query;
+				    }
+			    }
 
 
-			    }
-			    else
-			    {
-				if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
-						   "INSERT INTO "
-					       "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
-						   "VALUES (%u,%u,%u,%u,%u,%u,'%s');",
-						   data->sid,
-						   data->cid,
-						   i,
-						   6,
-						   p->tcp_options[i].code,
-						   p->tcp_options[i].len,
-						   //packet_data))  != SNORT_SNPRINTF_SUCCESS)
-						   data->PacketData))  != SNORT_SNPRINTF_SUCCESS)
+				if(data->dbtype_id == DB_ORACLE)
 				{
-				    goto bad_query;
+				    /* Oracle field BLOB type case. We append unescaped
+				     * opt_data data after query, which later in Insert()
+				     * will be cut off and uploaded with OCIBindByPos().
+				     */
+				    if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
+						       "INSERT INTO "
+						       "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
+						       "VALUES (%u,%u,%u,%u,%u,%u,:1);|%s",
+						       data->sid,
+						       data->cid,
+						       i,
+						       6,
+						       p->tcp_options[i].code,
+						       p->tcp_options[i].len,
+						       //packet_data))  != SNORT_SNPRINTF_SUCCESS)
+						       data->PacketData))  != SNORT_SNPRINTF_SUCCESS)
+				    {
+					goto bad_query;
+				    }
+				}
+				else
+				{
+				    if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
+						       "INSERT INTO "
+						       "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
+						       "VALUES (%u,%u,%u,%u,%u,%u,'%s');",
+						       data->sid,
+						       data->cid,
+						       i,
+						       6,
+						       p->tcp_options[i].code,
+						       p->tcp_options[i].len,
+						       //packet_data))  != SNORT_SNPRINTF_SUCCESS)
+						       data->PacketData))  != SNORT_SNPRINTF_SUCCESS)
+				    {
+					goto bad_query;
+				    }
 				}
 			    }
 			}
 		    }
-                }
+		}
+		else
+                {
+                    DEBUG_WRAP(DebugMessage(DB_DEBUG,
+                                            "[%s()], unable to build query, IP header tell's us its an TCP  packet but "
+					    "there is not TCP header in the decoded packet ... \n",
+					    __FUNCTION__));
+		}
+
 		break;		
 		/* IPPROTO_TCP */
 
 
 		/* IPPROTO_UDP */
 	    case IPPROTO_UDP:
-
-                /*** Build the query for the UDP Header ***/
-		if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
-		{
-		    goto bad_query;
-		}
-
-                if(data->detail)
+
+		if(p->udph)
 		{
-		    if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
-				       "INSERT INTO "
-				       "udphdr (sid, cid, udp_sport, udp_dport, udp_len, udp_csum) "
-				       "VALUES (%u, %u, %u, %u, %u, %u);",
-				       data->sid,
-				       data->cid,
-				       ntohs(p->udph->uh_sport),
-				       ntohs(p->udph->uh_dport),
-				       ntohs(p->udph->uh_len),
-				       ntohs(p->udph->uh_chk)))  != SNORT_SNPRINTF_SUCCESS)
+		    /*** Build the query for the UDP Header ***/
+		    if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
 		    {
 			goto bad_query;
 		    }
+
+		    if(data->detail)
+		    {
+			if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
+					   "INSERT INTO "
+					   "udphdr (sid, cid, udp_sport, udp_dport, udp_len, udp_csum) "
+					   "VALUES (%u, %u, %u, %u, %u, %u);",
+					   data->sid,
+					   data->cid,
+					   ntohs(p->udph->uh_sport),
+					   ntohs(p->udph->uh_dport),
+					   ntohs(p->udph->uh_len),
+					   ntohs(p->udph->uh_chk)))  != SNORT_SNPRINTF_SUCCESS)
+			{
+			    goto bad_query;
+			}
+		    }
+		    else
+		    {
+			if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
+					   "INSERT INTO "
+					   "udphdr (sid, cid, udp_sport, udp_dport) "
+					   "VALUES (%u, %u, %u, %u);",
+					   data->sid,
+					   data->cid,
+					   ntohs(p->udph->uh_sport),
+					   ntohs(p->udph->uh_dport)))  != SNORT_SNPRINTF_SUCCESS)
+			{
+			    goto bad_query;
+			}
+		    }
 		}
 		else
 		{
-		    if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
-					"INSERT INTO "
-					"udphdr (sid, cid, udp_sport, udp_dport) "
-					"VALUES (%u, %u, %u, %u);",
-					data->sid,
-					data->cid,
-					ntohs(p->udph->uh_sport),
-				       ntohs(p->udph->uh_dport)))  != SNORT_SNPRINTF_SUCCESS)
-		    {
-			goto bad_query;
-		    }
+		    DEBUG_WRAP(DebugMessage(DB_DEBUG,
+					    "[%s()], unable to build query, IP header tell's us its an UDP packet but "
+					    "there is not UDP header in the decoded packet ... \n",
+					    __FUNCTION__));
 		}
 		break;
 		/* IPPROTO_UDP */
-
+		    
 
 		/* DEFAULT */
 	    default: