Snort mailing list archives
Re: Re: [Snort-users] SNMP plugin removed from Snort + stream4 patch for 1.9.1
From: "Ian S. Nelson" <ian () latis com>
Date: Fri, 18 Apr 2003 09:04:07 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Marty,
Dave Greenstein, my coworker, rolled some of those changes in to a
1.9.1 patch. I've included another copy.
Thanks,
Ian
Martin Roesch wrote:
We will put the plugin up on snort.org in the contrib section in the near future. I'm going to do a patch for 1.9.1 to address the overflow, but people
should
really move up to 2.0.0 as soon as possible, there are a lot of good
reasons
to do so. (the snmp output plugin should be able to plugin to 2.0 if necessary...) -Marty On 4/17/03 6:56 AM, "Martin Olsson" <elof () sentor se> wrote:We use the snmp-output-plugin with a NMS too, so we hope the snmp-support will be added again soon. If this support is NOT to be added soon, it would be greatly appreciated if the developers told us so ASAP. Meanwhile it would be very nice if the developers could create a 1.9.1-patch for the buffer overflow in the stream4-plugin, so we who use snort with snmp can continue to use it without having to upgrade to v2.0. Regards, Martin
- -- ~/.latissig . . . *Ian S. Nelson Sr. Software Engineer* *Latis Networks, Inc.* 303-642-4513 Direct 303-642-4501 Fax www.stillsecure.com <http://www.stillsecure.com> /Reducing your risk has never been this easy./ . . . /The information transmitted is intended only for the person to which it is addressed and may contain confidential material. Review or other use of this information by persons other than the intended recipient is prohibited. If you've received this in error, please contact the sender and delete from any computer. / -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQQXAwUBPqAT3TLmxlgV3OjEFAKQHw//UPg20bm/nCGfviqDkhkVav1WlSrHULNn aSLOKSrR71PFl5i/U8Bo+4p/TeA6nFRHEdkaVwOixPLG3TgkCTxW1HIAuxG+vLjl S2vxHoUQAJCSblDgRVpQsGEme7uf/23CDierBlUa2hu9VfNuDfzltl7/H7P9rU4P loryCGU0KxbRFssXCn0O9ijZdM2aHXTBY7y+qAp+YFWkLdzLzaL3p0oKzYZcGwkk 92AmV0B3eD6INnFBtC090Ae5U7DOWKnciey/WIvs7/Az1s/9FhxLC8ALFpVJ2pJw 5gIoB3rvq3IGt7jYHzX+O+0CAdh4E2E4xZSORWNe68tG+iN7ETuT3cnVxXe0OTGv ZWuRMxCIdFOppVooiBJF1Yay/FaiJt5JBAm0scsGrVewc0sA+mCCofB1ua1g3xNC e76sPaM6AChUu6k+XWhS7vekQNyumcsXNlpSFBVBeQTKG0G/huA/xUQWVKol5TeB 6HkKv+8R+Z8WskgPeNfEww1YaIepFojPRZg+dcbZwz5klktdPSRlgAxWwkrG8Zrs KTVE3QAp8f81hSClsKlWRKiBlD9QS+7tShw3cCHyJpGfKdTcw93Ufixh5LZVc+DK VDVwZvg5BUbIPBhlclEIUaxqAYcyNfg1dGtQ+LytmOszMAkp1s0KyUChBjCH9fSM ojIN+Xzs9joP/Rd86lEzeXhgeOvueOgkoEcO6UYML7lAiVA1Q0WyVA6LDFKH5E1P PXltR6FKSV+EKXcrExbrhi6q816if5JrMUYcxKyyYf0+p7a+UBHIVxxNPMYr0Jro CDFYUqxzxtl4WSvSCt+YCQoVUt8gnTpjNIKGP2BvFv9/FUgSnMsr+voB3nR3F1dp uOWp1c1XhNOkHehK15S68jvWVkwEAqJPrAvmdCOGgd/zFsqRgMJlOhQBGvc0zs0l DSW2oEDJw6lvaCT7dYDw0wmmoGKoVrgwLRpMDmIPcjbP/X2/CWwuxxuXM6/hlztV rHCvJkLtctcrTqW8B7ES0nCUYV7Wot/WwWQTtHyWFqRB7zNGK03ynoY4i/AWrCOb 93AUoEZ351bcZdyWvqcgOKf1SgR5xCXxJqeR0j73uGGVHeLiGQ8xpO56r7olc8fY ldl1nWvR+sXd5M33KlAvJS9ZZOIVBtxcA2QVeWuvd3V9bGWSd/XYMfit2ZY6uF+E oI+mcUnNfrl3fjYEr1AiPp7K1e8Ikt6mAP/V5dGIhSb6Wkj3B8MdchylGGuoVmNX Ih0jFvDAWavOS9VzjSXrWmSTkflfXKEBJeGxvc9iZB/J67jSO0xi4m6hDeSTjwLn uI264sXXibdqBtPvleVtzN3dwboiNBKyTQ5UNp1w8XYcDmdUCY44TwOt =/fpX -----END PGP SIGNATURE-----
diff -urP snort-1.9.1/src/bounds.h SnortSource-1.9.1/src/bounds.h
--- snort-1.9.1/src/bounds.h 1969-12-31 17:00:00.000000000 -0700
+++ SnortSource-1.9.1/src/bounds.h 2003-04-16 13:54:01.000000000 -0600
@@ -0,0 +1,128 @@
+#ifndef _BOUNDS_H
+#define _BOUNDS_H
+/*
+** Copyright (C) 2003, Sourcefire, Inc.
+** Chris Green <cmg () sourcefire com>
+**
+** This program is free software; you can redistribute it and/or modify
+** it under the terms of the GNU General Public License as published by
+** the Free Software Foundation; either version 2 of the License, or
+** (at your option) any later version.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+** GNU General Public License for more details.
+**
+** You should have received a copy of the GNU General Public License
+** along with this program; if not, write to the Free Software
+** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+**
+*/
+
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "snort.h"
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <unistd.h>
+
+/* This INLINE is conflicting with the INLINE defined in bitop.h.
+ * So, let's just add a little sanity check here.
+ */
+#ifndef DEBUG
+ #ifndef INLINE
+ #define INLINE inline
+ #endif
+ #define ERRORRET return 0;
+#else
+ #ifdef INLINE
+ #undef INLINE
+ #endif
+ #define INLINE
+ #define ERRORRET assert(0==1)
+#endif /* DEBUG */
+
+/*
+ * Check to make sure that p is less than or equal to the ptr range
+ * pointers
+ *
+ * 1 means it's in bounds, 0 means it's not
+ */
+static INLINE int inBounds(u_int8_t *start, u_int8_t *end, u_int8_t *p)
+{
+ if(p >= start && p < end)
+ {
+ return 1;
+ }
+
+ return 0;
+}
+
+/**
+ * A Safer Memcpy
+ *
+ * @param dst where to copy to
+ * @param src where to copy from
+ * @param n number of bytes to copy
+ * @param start start of the dest buffer
+ * @param end end of the dst buffer
+ *
+ * @return 0 on failure, 1 on success
+ */
+static INLINE int SafeMemcpy(void *dst, void *src, size_t n, void *start, void *end)
+{
+ if(n < 1)
+ {
+ ERRORRET;
+ }
+
+ if(!inBounds(start,end, dst) || !inBounds(start,end,((u_int8_t*)dst)+n))
+ {
+ ERRORRET;
+ }
+
+ memcpy(dst, src, n);
+ return 1;
+}
+
+/**
+ * A Safer *a = *b
+ *
+ * @param start start of the dst buffer
+ * @param end end of the dst buffer
+ * @param dst the location to write to
+ * @param src the source to read from
+ *
+ * @return 0 on failure, 1 on success
+ */
+static INLINE int SafeWrite(u_int8_t *start, u_int8_t *end, u_int8_t *dst, u_int8_t *src)
+{
+ if(!inBounds(start, end, dst))
+ {
+ ERRORRET;
+ }
+
+ *dst = *src;
+ return 1;
+}
+
+static inline int SafeRead(u_int8_t *start, u_int8_t *end, u_int8_t *src, u_int8_t *read)
+{
+ if(!inBounds(start,end, src))
+ {
+ ERRORRET;
+ }
+
+ *read = *start;
+ return 1;
+}
+
+#endif /* _BOUNDS_H */
diff -urP snort-1.9.1/src/preprocessors/spp_frag2.c SnortSource-1.9.1/src/preprocessors/spp_frag2.c
--- snort-1.9.1/src/preprocessors/spp_frag2.c 2002-08-21 07:02:01.000000000 -0600
+++ SnortSource-1.9.1/src/preprocessors/spp_frag2.c 2003-04-16 13:54:00.000000000 -0600
@@ -1,4 +1,4 @@
-/* $Id: snort.1911.patch,v 1.1 2003/04/16 21:01:44 inelson Exp $ */
+/* $Id: snort.1911.patch,v 1.1 2003/04/16 21:01:44 inelson Exp $ */
/*
** Copyright (C) 1998-2002 Martin Roesch <roesch () sourcefire com>
@@ -60,6 +60,7 @@
#include <ctype.h>
#include <rpc/types.h>
+#include "bounds.h"
#include "generators.h"
#include "log.h"
#include "detect.h"
@@ -98,6 +99,10 @@
#define SPARC_TWIDDLE 0
#endif
+
+#define DATASIZE (ETHERNET_HEADER_LEN+65536)
+
+
/* D A T A S T R U C T U R E S **********************************/
typedef struct _Frag2Data
{
@@ -301,8 +306,10 @@
(buf+frag->offset)););
if((frag->offset + frag->size) < 65516)
- {
- memcpy(buf+frag->offset, frag->data, frag->size);
+ {
+ SafeMemcpy(buf+frag->offset, frag->data, frag->size,
+ defrag_pkt->pkt, defrag_pkt->pkt + DATASIZE);
+ // memcpy(buf+frag->offset, frag->data, frag->size);
pc.rebuild_element++;
}
else
diff -urP snort-1.9.1/src/preprocessors/spp_stream4.c SnortSource-1.9.1/src/preprocessors/spp_stream4.c
--- snort-1.9.1/src/preprocessors/spp_stream4.c 2003-02-14 12:32:27.000000000 -0700
+++ SnortSource-1.9.1/src/preprocessors/spp_stream4.c 2003-04-16 13:53:59.000000000 -0600
@@ -1,4 +1,4 @@
-/* $Id: snort.1911.patch,v 1.1 2003/04/16 21:01:44 inelson Exp $ */
+/* $Id: snort.1911.patch,v 1.1 2003/04/16 21:01:44 inelson Exp $ */
/*
** Copyright (C) 1998-2002 Martin Roesch <roesch () sourcefire com>
@@ -37,6 +37,17 @@
#include "config.h"
#endif
+#ifndef DEBUG
+ #ifndef INLINE
+ #define INLINE inline
+ #endif
+#else
+ #ifdef INLINE
+ #undef INLINE
+ #endif
+ #define INLINE
+#endif /* DEBUG */
+
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>
@@ -53,6 +64,7 @@
#include <strings.h>
#endif
+#include "bounds.h"
#include "decode.h"
#include "event.h"
#include "debug.h"
@@ -75,6 +87,9 @@
void PreprocRestartFunction(int);
void PreprocCleanExitFunction(int);
+
+static INLINE int isBetween(u_int32_t low, u_int32_t high, u_int32_t cur);
+
/* D E F I N E S **************************************************/
/* normal TCP states */
@@ -127,6 +142,8 @@
#define REVERSE 0
#define NO_REVERSE 1
+#define MAX_STREAM_SIZE (IP_MAXPACKET - IP_HEADER_LEN - TCP_HEADER_LEN)
+
#define METHOD_FAVOR_NEW 0x01
#define METHOD_FAVOR_OLD 0x02
@@ -342,6 +359,11 @@
+static INLINE int isBetween(u_int32_t low, u_int32_t high, u_int32_t cur)
+{
+ return (cur - low) <= (high - low);
+}
+
static int CompareFunc(ubi_trItemPtr ItemPtr, ubi_trNodePtr NodePtr)
{
@@ -462,7 +484,8 @@
/* don't reassemble if we're before the start sequence number or
* after the last ack'd byte
*/
- if(spd->seq_num < s->base_seq || spd->seq_num > s->last_ack) {
+ if(!isBetween(s->base_seq, s->last_ack, spd->seq_num)) {
+ // if(spd->seq_num < s->base_seq || spd->seq_num > s->last_ack) {
DEBUG_WRAP(DebugMessage(DEBUG_STREAM,
"not reassembling because"
" we're (%u) before isn(%u) or after last_ack(%u)\n",
@@ -471,8 +494,10 @@
}
/* if it's in bounds... */
- if(spd->seq_num >= s->base_seq && spd->seq_num >= s->next_seq &&
- (spd->seq_num+spd->payload_size) <= s->last_ack)
+ if(isBetween(s->base_seq, s->last_ack, spd->seq_num) &&
+ isBetween(s->base_seq, s->last_ack, (spd->seq_num+spd->payload_size)))
+ // if(spd->seq_num >= s->base_seq && spd->seq_num >= s->next_seq &&
+ // (spd->seq_num+spd->payload_size) <= s->last_ack)
{
offset = spd->seq_num - s->base_seq;
@@ -487,16 +512,22 @@
spd->seq_num, s->last_ack, s->base_seq,
spd->payload_size, s->next_seq, offset));
- memcpy(buf+offset, spd->payload, spd->payload_size);
+
+ SafeMemcpy(buf+offset, spd->payload, spd->payload_size,
+ stream_pkt->data, stream_pkt->data + MAX_STREAM_SIZE);
+
+ // memcpy(buf+offset, spd->payload, spd->payload_size);
pc.rebuilt_segs++;
spd->chuck = 1;
bd->total_size += spd->payload_size;
}
- else if(spd->seq_num >= s->base_seq &&
- spd->seq_num < s->last_ack &&
- spd->seq_num + spd->payload_size > s->last_ack)
+ else if(isBetween(s->base_seq, s->last_ack, spd->seq_num) &&
+ ((spd->seq_num + spd->payload_size) > s->last_ack))
+ // else if(spd->seq_num >= s->base_seq &&
+ // spd->seq_num < s->last_ack &&
+ // spd->seq_num + spd->payload_size > s->last_ack)
{
/*
* if it starts in bounds and hasn't been completely ack'd,
@@ -518,7 +549,9 @@
DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Copying %d bytes into buffer, "
"offset %d, buf %p\n", trunc_size, offset,
buf););
- memcpy(buf+offset, spd->payload, trunc_size);
+ SafeMemcpy(buf+offset, spd->payload, trunc_size,
+ stream_pkt->data, stream_pkt->data + MAX_STREAM_SIZE);
+ // memcpy(buf+offset, spd->payload, trunc_size);
pc.rebuilt_segs++;
bd->total_size += trunc_size;
}
@@ -531,7 +564,9 @@
spd->chuck = 1;
}
else if(spd->seq_num < s->base_seq &&
- spd->seq_num+spd->payload_size > s->base_seq)
+ isBetween(s->base_seq, s->last_ack, (spd->seq_num+spd->payload_size)))
+ // else if(spd->seq_num < s->base_seq &&
+ // spd->seq_num+spd->payload_size > s->base_seq)
{
/* case where we've got a segment that wasn't completely ack'd
* last time it was processed, do a partial copy into the buffer
@@ -550,7 +585,9 @@
DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Copying %d bytes into buffer, "
"offset %d, buf %p\n", trunc_size, offset,
buf););
- memcpy(buf, spd->payload+offset, trunc_size);
+ SafeMemcpy(buf, spd->payload+offset, trunc_size,
+ stream_pkt->data, stream_pkt->data + MAX_STREAM_SIZE);
+ // memcpy(buf, spd->payload+offset, trunc_size);
pc.rebuilt_segs++;
bd->total_size += trunc_size;
}
Current thread:
- Snort 2.0 Released! Martin Roesch (Apr 14)
- Re: [Snort-devel] Snort 2.0 Released! Kevin J. Schmidt (Apr 14)
- Re: Re: [Snort-devel] Snort 2.0 Released! Chris Green (Apr 15)
- Re: Re: [Snort-devel] Snort 2.0 Released! Kevin J. Schmidt (Apr 15)
- SNMP plugin removed from Snort Jose Vicente Nunez Z (Apr 15)
- Re: SNMP plugin removed from Snort + stream4 patch for 1.9.1 Martin Olsson (Apr 17)
- Re: SNMP plugin removed from Snort + stream4 patch for 1.9.1 Martin Roesch (Apr 18)
- Re: SNMP plugin removed from Snort + stream4 patch for 1.9.1 Erick Mechler (Apr 18)
- Re: SNMP plugin removed from Snort + stream4 patch for 1.9.1 Kevin J. Schmidt (Apr 18)
- Re: SNMP plugin removed from Snort + stream4 patch for 1.9.1 Jose Vicente Nunez Zuleta (Apr 18)
- Re: Re: [Snort-users] SNMP plugin removed from Snort + stream4 patch for 1.9.1 Ian S. Nelson (Apr 20)
- Re: Re: [Snort-devel] Snort 2.0 Released! Chris Green (Apr 15)
- Re: [Snort-devel] Snort 2.0 Released! Kevin J. Schmidt (Apr 14)
- Re: Windump doesn't work now. Rich Adamson (Apr 15)