|
|
ee3a35 |
From 0381a0de64a5a048c3d48b79055bd9848d0c7fc2 Mon Sep 17 00:00:00 2001
|
|
|
ee3a35 |
From: PascalWithopf <pwithopf@adiscon.com>
|
|
|
ee3a35 |
Date: Wed, 19 Apr 2017 13:06:30 +0200
|
|
|
ee3a35 |
Subject: [PATCH] imptcp: fix Segmentation Fault when octet count is to high
|
|
|
ee3a35 |
|
|
|
ee3a35 |
---
|
|
|
ee3a35 |
plugins/imptcp/imptcp.c | 14 ++++++-
|
|
|
ee3a35 |
1 files changed, 12 insertions(+), 2 deletions(-)
|
|
|
ee3a35 |
|
|
|
ee3a35 |
diff --git a/plugins/imptcp/imptcp.c b/plugins/imptcp/imptcp.c
|
|
|
ee3a35 |
index acf0dcd25..b9a4e2fdf 100644
|
|
|
ee3a35 |
--- a/plugins/imptcp/imptcp.c
|
|
|
ee3a35 |
+++ b/plugins/imptcp/imptcp.c
|
|
|
ee3a35 |
@@ -902,7 +902,16 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
|
|
|
ee3a35 |
|
|
|
ee3a35 |
if(pThis->inputState == eInOctetCnt) {
|
|
|
ee3a35 |
if(isdigit(c)) {
|
|
|
ee3a35 |
- pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
|
|
|
ee3a35 |
+ if(pThis->iOctetsRemain <= 200000000) {
|
|
|
ee3a35 |
+ pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
|
|
|
ee3a35 |
+ } else {
|
|
|
ee3a35 |
+ errmsg.LogError(0, NO_ERRCODE, "Framing Error in received TCP message: "
|
|
|
ee3a35 |
+ "frame too large (at least %d%c), change to octet stuffing",
|
|
|
ee3a35 |
+ pThis->iOctetsRemain, c);
|
|
|
ee3a35 |
+ pThis->eFraming = TCP_FRAMING_OCTET_STUFFING;
|
|
|
ee3a35 |
+ pThis->inputState = eInMsg;
|
|
|
ee3a35 |
+ }
|
|
|
ee3a35 |
+ *(pThis->pMsg + pThis->iMsg++) = c;
|
|
|
ee3a35 |
} else { /* done with the octet count, so this must be the SP terminator */
|
|
|
ee3a35 |
DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
|
|
|
ee3a35 |
if(c != ' ') {
|
|
|
ee3a35 |
@@ -911,9 +920,9 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
|
|
|
ee3a35 |
}
|
|
|
ee3a35 |
if(pThis->iOctetsRemain < 1) {
|
|
|
ee3a35 |
/* TODO: handle the case where the octet count is 0! */
|
|
|
ee3a35 |
- DBGPRINTF("Framing Error: invalid octet count\n");
|
|
|
ee3a35 |
errmsg.LogError(0, NO_ERRCODE, "Framing Error in received TCP message: "
|
|
|
ee3a35 |
"invalid octet count %d.", pThis->iOctetsRemain);
|
|
|
ee3a35 |
+ pThis->eFraming = TCP_FRAMING_OCTET_STUFFING;
|
|
|
ee3a35 |
} else if(pThis->iOctetsRemain > iMaxLine) {
|
|
|
ee3a35 |
/* while we can not do anything against it, we can at least log an indication
|
|
|
ee3a35 |
* that something went wrong) -- rgerhards, 2008-03-14
|
|
|
ee3a35 |
@@ -924,6 +933,7 @@ processDataRcvd(ptcpsess_t *const __restrict__ pThis,
|
|
|
ee3a35 |
"max msg size is %d, truncating...", pThis->iOctetsRemain, iMaxLine);
|
|
|
ee3a35 |
}
|
|
|
ee3a35 |
pThis->inputState = eInMsg;
|
|
|
ee3a35 |
+ pThis->iMsg = 0;
|
|
|
ee3a35 |
}
|
|
|
ee3a35 |
} else {
|
|
|
ee3a35 |
assert(pThis->inputState == eInMsg);
|