Snort mailing list archives
Re: integer overflow issue in PAWS window checks
From: "Nilesh K. Patel via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 22 Dec 2017 12:45:20 +0000
Hi, There is a issue in PAWS window checks in snort_steam_tcp.c Consider you got big timestamp in last segment and current segment has 0(zero) or less timestamp. Ex. ts_last = 2331162992 and tdb->ts = 0 (bad segment) and dry run below code. if (validate_timestamp) { int result = 0; if (listener->tcp_policy->policy == STREAM_POLICY_LINUX) { /* Linux 2.6 accepts timestamp values that are off * by one. */ result = (int)((tdb->ts - talker->ts_last) + 1); } else { result = (int)(tdb->ts - talker->ts_last); } Here we expect result should negative as tdb->ts is less than ts_last. But as last segment got big timestamp which actually negative number in 32bit integer and if we do 0 - 2331162992 will become positive number 1963804304, but expect < 0. if(result < 0) { STREAM_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Packet outside PAWS window, dropping\n");); /* bail, we've got a packet outside the PAWS window! */ //Discard(); *eventcode |= EVENT_BAD_TIMESTAMP; if(listener->tcp_policy->flags & STREAM_CONFIG_ENABLE_ALERTS) NormalDropPacket(p); return ACTION_BAD_PKT; } It must fall in this if and drop this bad segment, however it is bypassing this checks due to wrongly handled comparison. There are other checks after this, which actually updates the timestamp wrongly. As I see this should be change or am I missing something here. Happy to give patch if you agree. Thanks, Nilesh
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: integer overflow issue in PAWS window checks Nilesh K. Patel via Snort-devel (Dec 22)