Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segfault in ntlm-analyzer.pac build_av_record() #541

PSChrisHinshaw opened this issue Aug 13, 2019 · 1 comment


Copy link

commented Aug 13, 2019

I have a PCAP from one of our customers that appears to expose a segfault in ntlm-analyzer.pac. If needed, I can share this pcap after I sanitize it.

My assumption is that the NTLM packet is not properly formed, and has no AV Pairs to cycle through. The code provided below checks for an empty vector and returns if there is nothing to access.

Patch data below:
diff -Naur --exclude .git --exclude .vscode --exclude build a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac
--- a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac 2019-06-20 11:30:03.000000000 -0700
+++ b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac 2019-07-24 15:55:19.000000000 -0700
@@ -27,6 +27,10 @@
function build_av_record(val: NTLM_AV_Pair_Sequence): BroVal
RecordVal* result = new RecordVal(BifType::Record::NTLM::AVs);
+ if ( ${val.pairs}->size() == 0 )
+ {
+ return result;
+ }
for ( uint i = 0; ${val.pairs[i].id} != 0; i++ )
switch ( ${val.pairs[i].id} )

@jsiwek jsiwek added this to Unassigned / Todo in Release 3.0.0 via automation Aug 13, 2019

@jsiwek jsiwek added this to the 3.0.0 milestone Aug 13, 2019


This comment has been minimized.

Copy link

commented Aug 13, 2019

Thanks for the report and potential patch -- that particular loop does look suspicious. If you can, please do send a pcap that can reproduce the segfault just so we can confirm the exact problem, but preferably follow up with that in separate email to, optional pgp key found here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
You can’t perform that action at this time.