Fix asn1 decoder frame oob mem. Adding max stack frames to suricata.yaml

15 years ago · b3a8f0a90f
parent 25d1b6fec1
commit b3a8f0a90f
4 changed files with 39 additions and 6 deletions
--- a/src/suricata.c
+++ b/src/suricata.c
@ -1057,6 +1057,7 @@ int main(int argc, char **argv)

    AppLayerHtpRegisterExtraCallbacks();
    SCThresholdConfInitContext(de_ctx,NULL);
+    SCAsn1LoadConfig();

    struct timeval start_time;
    memset(&start_time, 0, sizeof(start_time));
--- a/src/util-decode-asn1.c
+++ b/src/util-decode-asn1.c
@ -31,7 +31,20 @@
 #include "util-print.h"

 #include "util-decode-asn1.h"
+#include "conf.h"

+uint16_t asn1_max_frames_config = ASN1_MAX_FRAMES;
+
+void SCAsn1LoadConfig() {
+    intmax_t value = 0;
+
+    /** set config defaults */
+    if ((ConfGetInt("asn1_max_frames", &value)) == 1) {
+        asn1_max_frames_config = (uint16_t)value;
+        SCLogDebug("Max stack frame set to %"PRIu16, asn1_max_frames_config);
+    }
+
+}

 /**
 * \brief Decode and check the identifier information of the
@ -325,10 +338,19 @@ uint8_t SCAsn1CheckBounds(Asn1Ctx *ac) {
 Asn1Ctx *SCAsn1CtxNew(void) {
    Asn1Ctx *ac = SCMalloc(sizeof(Asn1Ctx));

-    if (ac == NULL)
+    if (ac == NULL) {
+        SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
        return NULL;
-
+    }
    memset(ac, 0, sizeof(Asn1Ctx));
+
+    ac->asn1_stack = SCMalloc(sizeof(Asn1Node *) * asn1_max_frames_config);
+    if (ac->asn1_stack == NULL) {
+        SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
+        return NULL;
+    }
+    memset(ac->asn1_stack, 0, sizeof(Asn1Node *) * asn1_max_frames_config);
+
    return ac;
 }

@ -361,10 +383,14 @@ void SCAsn1CtxDestroy(Asn1Ctx *ac) {
 * \retval Asn1Node pointer to the new node allocated
 */
 Asn1Node *SCAsn1CtxNewFrame(Asn1Ctx *ac, uint16_t node) {
+    if (node >= asn1_max_frames_config) {
+        return NULL;
+    }
+
    if (ac->asn1_stack[node] == NULL)
        ac->asn1_stack[node] = SCMalloc(sizeof(Asn1Node));

-    if (ac->asn1_stack[node] == NULL)
+    if (&ac->asn1_stack[node] == NULL)
        return NULL;

    memset(ac->asn1_stack[node], 0, sizeof(Asn1Node));
@ -404,7 +430,7 @@ uint8_t SCAsn1Decode(Asn1Ctx *ac, uint16_t node_id) {
    /* while remaining data, and no fatal error, or end, or max stack frames */
    while (ac->iter < ac->end
           && !(ac->parser_status & ASN1_STATUS_DONE)
-           && ac->cur_frame < ASN1_MAX_FRAMES)
+           && ac->cur_frame < asn1_max_frames_config)
    {
        /* Prepare a new frame */
        if (SCAsn1CtxNewFrame(ac, node_id) == NULL)
--- a/src/util-decode-asn1.h
+++ b/src/util-decode-asn1.h
@ -181,8 +181,9 @@ typedef struct Asn1Ctx_ {

    uint8_t *iter;

-    uint8_t cur_frame;
-    Asn1Node *asn1_stack[ASN1_MAX_FRAMES];
+    uint16_t cur_frame;
+    Asn1Node *asn1_stack2[ASN1_MAX_FRAMES];
+    Asn1Node **asn1_stack;

    uint8_t parser_status;

@ -213,6 +214,7 @@ uint8_t SCAsn1DecodeContent(Asn1Ctx *);
 uint8_t SCAsn1CheckBounds(Asn1Ctx *);

 void DecodeAsn1RegisterTests(void);
+void SCAsn1LoadConfig();

 #endif /* __DECODE_ASN1_H__ */

--- a/suricata.yaml
+++ b/suricata.yaml
@ -473,6 +473,10 @@ host-os-policy:
  vista: []
  windows2k3: []

+
+# Limit for the maximum number of asn1 frames to decode (default 256)
+asn1_max_frames: 256
+
 ###########################################################################
 # Configure libhtp.
 #