segfault in Content_Analyzer with multipart/form-data http

Description

When ContentLine_Analyzer:oDeliverOnce is called with a value of "\nfalse\r\n----WebkitFormBoundary" and last_char was set to '\r' in a previous call, buf is set to \0 at index -1.

I think a fix would be to check the offset in the EMIT_LINE macro to be > 0.

Sadly I can not share the original trace which triggers the segfault. If this report is not enough I can spend some more time trying to create a test trace.

Environment

FreeBSD 10.3 RELEASE

Activity

Show:
Johanna Amann
October 17, 2017, 6:06 AM

Yup, can reproduce - I will post a patch here in a bit.

Johanna Amann
October 17, 2017, 9:19 AM

This is updated in master and we released Bro 2.5.2 to address it. Patch at https://github.com/bro/bro/commit/6c0f101a62489b1c5927b4ed63b0e1d37db40282

Thanks a lot for reporting this and for answering questions.

Frank Meier
October 17, 2017, 5:12 PM

Thanks for the fix. I hope I can provide a more thorough report next time.

Jeffrey Bencteux
October 18, 2017, 11:15 PM

I can reproduce this behaviour with the pcap I added above. I also added the ASAN backtrace of the execution of Bro with that pcap. Hope this can help for testing (even if the problem is solved).

Johanna Amann
January 2, 2018, 7:13 PM

This was assigned CVE-2017-1000458.

Merged

Assignee

Unassigned

Reporter

Frank Meier

Labels

None

External issue ID

None

Components

Affects versions

Priority

Normal