Project

General

Profile

Actions

Bug #4536

closed

SWF decompression overread

Added by Philippe Antoine over 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

While decompressing a swf file, the computation of compressed_data_len is wrong as it does not handle the offset start


Related issues 4 (0 open4 closed)

Copied to Suricata - Bug #4545: SWF decompression overreadClosedShivani BhardwajActions
Copied to Suricata - Bug #4546: SWF decompression overreadClosedVictor JulienActions
Copied to Suricata - Bug #4830: SWF decompression overreadClosedVictor JulienActions
Copied to Suricata - Bug #4831: SWF decompression overreadClosedVictor JulienActions
Actions #1

Updated by Philippe Antoine over 3 years ago

Gitlab MR

Swf overread seems to be not triggered because StreamingBufferGetDataAtOffset returns a pointer to a bigger buffer than said...

Dummy patch to trigger it

diff --git a/src/detect-file-data.c b/src/detect-file-data.c
index 49c297ab8..b81d9b1fb 100644
--- a/src/detect-file-data.c
+++ b/src/detect-file-data.c
@@ -377,7 +377,9 @@ static InspectionBuffer *HttpServerBodyGetDataCallback(DetectEngineThreadCtx *de
         if (swf_file_type == FILE_SWF_ZLIB_COMPRESSION ||
             swf_file_type == FILE_SWF_LZMA_COMPRESSION)
         {
-            (void)FileSwfDecompression(data, data_len,
+            void *lol2 = malloc(data_len);
+            memcpy(lol2, data, data_len);
+            (void)FileSwfDecompression(lol2, data_len,
                                        det_ctx,
                                        buffer,
                                        htp_state->cfg->swf_compression_type,

Actions #2

Updated by Jason Ish over 3 years ago

  • Copied to Bug #4545: SWF decompression overread added
Actions #3

Updated by Jason Ish over 3 years ago

  • Copied to Bug #4546: SWF decompression overread added
Actions #4

Updated by Philippe Antoine over 3 years ago

Mostly fixed by https://github.com/OISF/suricata/commit/4d2f9cc8a0409bb03f5d285bb83d64afec08ba2a
Still one fix to do with Gitlab new MR 247

Actions #5

Updated by Victor Julien about 3 years ago

  • Copied to Bug #4830: SWF decompression overread added
Actions #6

Updated by Victor Julien about 3 years ago

  • Copied to Bug #4831: SWF decompression overread added
Actions #8

Updated by Victor Julien almost 3 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF