Project

General

Profile

Actions

Bug #3527

closed

4.1.x Kerberos vulnerable to TCP splitting evasion

Added by Philippe Antoine almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Immediate
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Problem happens if the split happens in the middle of a record size
Another problems happens if the buffer size is less than 4

Problem found while running suricata-verify tests against Suricata compiled with this patch

diff --git a/src/app-layer.c b/src/app-layer.c
index b614f2712..0149d6b4f 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -658,8 +658,15 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
          * a start msg should have gotten us one */
         if (f->alproto != ALPROTO_UNKNOWN) {
             PACKET_PROFILING_APP_START(app_tctx, f->alproto);
+#ifndef LOLSPLIT
+            for (size_t i = 0; i < data_len; i++) {
+                r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
+                                        flags, data+i, 1);
+            }
+#else
             r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
                                     flags, data, data_len);
+#endif
             PACKET_PROFILING_APP_END(app_tctx, f->alproto);
             if (r >= 0) {
                 (*stream)->app_progress_rel += data_len;

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #3526: 5.0.x Kerberos vulnerable to TCP splitting evasionClosedJeff LucovskyActions
Actions

Also available in: Atom PDF