Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fix: Possible segfault in spo_database

     when the decoded IP header is supposed to have a TCP/UDP packet but
     the decoded packet does not contain such information.
     A pointer validation check has been added and behavior has been
     changed for ICMP handling which was already considering this case but
     would lead to a processing fault. (DB_DEBUG information messages
     where also added).

Bumped: Build to 319
commit 1e55588effe1a092f227ab956137b984111801d0 1 parent 722737a
@binf binf authored
Showing with 161 additions and 141 deletions.
  1. +1 −1  src/barnyard2.h
  2. +160 −140 src/output-plugins/spo_database.c
View
2  src/barnyard2.h
@@ -63,7 +63,7 @@
#define VER_MAJOR "2"
#define VER_MINOR "1"
#define VER_REVISION "11"
-#define VER_BUILD "318"
+#define VER_BUILD "319"
#define STD_BUF 1024
View
300 src/output-plugins/spo_database.c
@@ -1917,14 +1917,14 @@ int dbProcessEventInformation(DatabaseData *data,Packet *p,
case IPPROTO_ICMP:
- if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
- {
- goto bad_query;
- }
-
/* IPPROTO_ICMP */
if(p->icmph)
{
+ if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
+ {
+ goto bad_query;
+ }
+
/*** Build a query for the ICMP Header ***/
if(data->detail)
{
@@ -1961,10 +1961,11 @@ int dbProcessEventInformation(DatabaseData *data,Packet *p,
}
else
{
- LogMessage("[%s()], unable to build query, IP header tell's us its an ICMP packet but "
- "there is not icmp header in the decoded packet ... \n",
- __FUNCTION__);
- goto bad_query;
+
+ DEBUG_WRAP(DebugMessage(DB_DEBUG,
+ "[%s()], unable to build query, IP header tell's us its an ICMP packet but "
+ "there is not ICMP header in the decoded packet ... \n",
+ __FUNCTION__));
}
break;
/* IPPROTO_ICMP */
@@ -1973,176 +1974,195 @@ int dbProcessEventInformation(DatabaseData *data,Packet *p,
/* IPPROTO_TCP */
case IPPROTO_TCP:
- if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
+ if(p->tcph)
{
- goto bad_query;
- }
-
- /*** Build a query for the TCP Header ***/
- if(data->detail)
- {
- if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
- "INSERT INTO "
- "tcphdr (sid, cid, tcp_sport, tcp_dport, "
- "tcp_seq, tcp_ack, tcp_off, tcp_res, "
- "tcp_flags, tcp_win, tcp_csum, tcp_urp) "
- "VALUES (%u,%u,%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u);",
- data->sid,
- data->cid,
- ntohs(p->tcph->th_sport),
- ntohs(p->tcph->th_dport),
- (u_long)ntohl(p->tcph->th_seq),
- (u_long)ntohl(p->tcph->th_ack),
- TCP_OFFSET(p->tcph),
- TCP_X2(p->tcph),
- p->tcph->th_flags,
- ntohs(p->tcph->th_win),
- ntohs(p->tcph->th_sum),
- ntohs(p->tcph->th_urp))) != SNORT_SNPRINTF_SUCCESS)
+ if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
{
goto bad_query;
}
- }
- else
- {
- if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
- "INSERT INTO "
- "tcphdr (sid,cid,tcp_sport,tcp_dport,tcp_flags) "
- "VALUES (%u,%u,%u,%u,%u);",
- data->sid,
- data->cid,
- ntohs(p->tcph->th_sport),
- ntohs(p->tcph->th_dport),
- p->tcph->th_flags)) != SNORT_SNPRINTF_SUCCESS)
+
+ /*** Build a query for the TCP Header ***/
+ if(data->detail)
{
- goto bad_query;
+ if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
+ "INSERT INTO "
+ "tcphdr (sid, cid, tcp_sport, tcp_dport, "
+ "tcp_seq, tcp_ack, tcp_off, tcp_res, "
+ "tcp_flags, tcp_win, tcp_csum, tcp_urp) "
+ "VALUES (%u,%u,%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u);",
+ data->sid,
+ data->cid,
+ ntohs(p->tcph->th_sport),
+ ntohs(p->tcph->th_dport),
+ (u_long)ntohl(p->tcph->th_seq),
+ (u_long)ntohl(p->tcph->th_ack),
+ TCP_OFFSET(p->tcph),
+ TCP_X2(p->tcph),
+ p->tcph->th_flags,
+ ntohs(p->tcph->th_win),
+ ntohs(p->tcph->th_sum),
+ ntohs(p->tcph->th_urp))) != SNORT_SNPRINTF_SUCCESS)
+ {
+ goto bad_query;
+ }
}
- }
-
- if(data->detail)
- {
+ else
+ {
+ if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
+ "INSERT INTO "
+ "tcphdr (sid,cid,tcp_sport,tcp_dport,tcp_flags) "
+ "VALUES (%u,%u,%u,%u,%u);",
+ data->sid,
+ data->cid,
+ ntohs(p->tcph->th_sport),
+ ntohs(p->tcph->th_dport),
+ p->tcph->th_flags)) != SNORT_SNPRINTF_SUCCESS)
+ {
+ goto bad_query;
+ }
+ }
+
+ if(data->detail)
+ {
/*** Build the query for TCP Options ***/
- for(i=0; i < (int)(p->tcp_option_count); i++)
- {
-
- if( p->tcp_options[i].len > 0)
+ for(i=0; i < (int)(p->tcp_option_count); i++)
{
- if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
- {
- goto bad_query;
- }
-
- if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII))
+
+ if( p->tcp_options[i].len > 0)
{
- //packet_data = fasthex(p->tcp_options[i].data, p->tcp_options[i].len);
- if( fasthex_STATIC(p->tcp_options[i].data, p->tcp_options[i].len,data->PacketData))
+ if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
{
- /* XXX */
goto bad_query;
}
- }
- else
- {
- //packet_data = base64(p->tcp_options[i].data, p->tcp_options[i].len);
- if( base64_STATIC(p->tcp_options[i].data, p->tcp_options[i].len,data->PacketData))
+
+ if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII))
{
+ //packet_data = fasthex(p->tcp_options[i].data, p->tcp_options[i].len);
+ if( fasthex_STATIC(p->tcp_options[i].data, p->tcp_options[i].len,data->PacketData))
+ {
/* XXX */
- goto bad_query;
+ goto bad_query;
+ }
}
- }
-
-
- if(data->dbtype_id == DB_ORACLE)
- {
- /* Oracle field BLOB type case. We append unescaped
- * opt_data data after query, which later in Insert()
- * will be cut off and uploaded with OCIBindByPos().
- */
- if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
- "INSERT INTO "
- "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
- "VALUES (%u,%u,%u,%u,%u,%u,:1);|%s",
- data->sid,
- data->cid,
- i,
- 6,
- p->tcp_options[i].code,
- p->tcp_options[i].len,
- //packet_data)) != SNORT_SNPRINTF_SUCCESS)
- data->PacketData)) != SNORT_SNPRINTF_SUCCESS)
+ else
{
- goto bad_query;
- }
+ //packet_data = base64(p->tcp_options[i].data, p->tcp_options[i].len);
+ if( base64_STATIC(p->tcp_options[i].data, p->tcp_options[i].len,data->PacketData))
+ {
+ /* XXX */
+ goto bad_query;
+ }
+ }
- }
- else
- {
- if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
- "INSERT INTO "
- "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
- "VALUES (%u,%u,%u,%u,%u,%u,'%s');",
- data->sid,
- data->cid,
- i,
- 6,
- p->tcp_options[i].code,
- p->tcp_options[i].len,
- //packet_data)) != SNORT_SNPRINTF_SUCCESS)
- data->PacketData)) != SNORT_SNPRINTF_SUCCESS)
+ if(data->dbtype_id == DB_ORACLE)
{
- goto bad_query;
+ /* Oracle field BLOB type case. We append unescaped
+ * opt_data data after query, which later in Insert()
+ * will be cut off and uploaded with OCIBindByPos().
+ */
+ if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
+ "INSERT INTO "
+ "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
+ "VALUES (%u,%u,%u,%u,%u,%u,:1);|%s",
+ data->sid,
+ data->cid,
+ i,
+ 6,
+ p->tcp_options[i].code,
+ p->tcp_options[i].len,
+ //packet_data)) != SNORT_SNPRINTF_SUCCESS)
+ data->PacketData)) != SNORT_SNPRINTF_SUCCESS)
+ {
+ goto bad_query;
+ }
+ }
+ else
+ {
+ if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
+ "INSERT INTO "
+ "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
+ "VALUES (%u,%u,%u,%u,%u,%u,'%s');",
+ data->sid,
+ data->cid,
+ i,
+ 6,
+ p->tcp_options[i].code,
+ p->tcp_options[i].len,
+ //packet_data)) != SNORT_SNPRINTF_SUCCESS)
+ data->PacketData)) != SNORT_SNPRINTF_SUCCESS)
+ {
+ goto bad_query;
+ }
}
}
}
}
- }
+ }
+ else
+ {
+ DEBUG_WRAP(DebugMessage(DB_DEBUG,
+ "[%s()], unable to build query, IP header tell's us its an TCP packet but "
+ "there is not TCP header in the decoded packet ... \n",
+ __FUNCTION__));
+ }
+
break;
/* IPPROTO_TCP */
/* IPPROTO_UDP */
case IPPROTO_UDP:
-
- /*** Build the query for the UDP Header ***/
- if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
- {
- goto bad_query;
- }
-
- if(data->detail)
+
+ if(p->udph)
{
- if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
- "INSERT INTO "
- "udphdr (sid, cid, udp_sport, udp_dport, udp_len, udp_csum) "
- "VALUES (%u, %u, %u, %u, %u, %u);",
- data->sid,
- data->cid,
- ntohs(p->udph->uh_sport),
- ntohs(p->udph->uh_dport),
- ntohs(p->udph->uh_len),
- ntohs(p->udph->uh_chk))) != SNORT_SNPRINTF_SUCCESS)
+ /*** Build the query for the UDP Header ***/
+ if( (SQLQueryPtr=SQL_GetNextQuery(data)) == NULL)
{
goto bad_query;
}
+
+ if(data->detail)
+ {
+ if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
+ "INSERT INTO "
+ "udphdr (sid, cid, udp_sport, udp_dport, udp_len, udp_csum) "
+ "VALUES (%u, %u, %u, %u, %u, %u);",
+ data->sid,
+ data->cid,
+ ntohs(p->udph->uh_sport),
+ ntohs(p->udph->uh_dport),
+ ntohs(p->udph->uh_len),
+ ntohs(p->udph->uh_chk))) != SNORT_SNPRINTF_SUCCESS)
+ {
+ goto bad_query;
+ }
+ }
+ else
+ {
+ if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
+ "INSERT INTO "
+ "udphdr (sid, cid, udp_sport, udp_dport) "
+ "VALUES (%u, %u, %u, %u);",
+ data->sid,
+ data->cid,
+ ntohs(p->udph->uh_sport),
+ ntohs(p->udph->uh_dport))) != SNORT_SNPRINTF_SUCCESS)
+ {
+ goto bad_query;
+ }
+ }
}
else
{
- if( (SnortSnprintf(SQLQueryPtr, MAX_QUERY_LENGTH,
- "INSERT INTO "
- "udphdr (sid, cid, udp_sport, udp_dport) "
- "VALUES (%u, %u, %u, %u);",
- data->sid,
- data->cid,
- ntohs(p->udph->uh_sport),
- ntohs(p->udph->uh_dport))) != SNORT_SNPRINTF_SUCCESS)
- {
- goto bad_query;
- }
+ DEBUG_WRAP(DebugMessage(DB_DEBUG,
+ "[%s()], unable to build query, IP header tell's us its an UDP packet but "
+ "there is not UDP header in the decoded packet ... \n",
+ __FUNCTION__));
}
break;
/* IPPROTO_UDP */
-
+
/* DEFAULT */
default:
Please sign in to comment.
Something went wrong with that request. Please try again.