From c7053e9a361c929aed6c18b3c79e45a91a7dd437 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 12 Nov 2020 09:21:39 -0800 Subject: [PATCH 1/2] Fix scenario where `FreeHandshakeResources` is called and server hello is recevied and WOLFSSL arrays is NULL. --- src/sniffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sniffer.c b/src/sniffer.c index bec413fa3..b1c8aab14 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -2648,7 +2648,7 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, (void)initialBytes; /* make sure we didn't miss ClientHello */ - if (session->flags.clientHello == 0) { + if (session->flags.clientHello == 0 || session->sslClient->arrays == NULL) { SetError(MISSED_CLIENT_HELLO_STR, error, session, FATAL_ERROR_STATE); return -1; } From f02cc650a203ac2a86ba70d90de32761c2102bd8 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 12 Nov 2020 16:08:07 -0800 Subject: [PATCH 2/2] Fixes for handling TCP `out-of-range sequence number`. --- src/sniffer.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/src/sniffer.c b/src/sniffer.c index b1c8aab14..a2e73b1f2 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -2649,8 +2649,8 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, /* make sure we didn't miss ClientHello */ if (session->flags.clientHello == 0 || session->sslClient->arrays == NULL) { - SetError(MISSED_CLIENT_HELLO_STR, error, session, FATAL_ERROR_STATE); - return -1; + SetError(MISSED_CLIENT_HELLO_STR, error, session, 0); + return 0; /* do not throw error, just ignore packet */ } /* make sure can read through session len */ @@ -4152,6 +4152,7 @@ static int CheckHeaders(IpInfo* ipInfo, TcpInfo* tcpInfo, const byte* packet, SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); return -1; } + /* We only care about the data in the TCP/IP record. There may be extra * data after the IP record for the FCS for Ethernet. */ *sslBytes = (int)(packet + ipInfo->total - *sslFrame); @@ -4564,6 +4565,8 @@ static int FixSequence(TcpInfo* tcpInfo, SnifferSession* session) { word32* expected = (session->flags.side == WOLFSSL_SERVER_END) ? &session->srvExpected : &session->cliExpected; + word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ? + session->srvSeqStart : session->cliSeqStart; PacketBuffer* list = (session->flags.side == WOLFSSL_SERVER_END) ? session->srvReassemblyList : session->cliReassemblyList; @@ -4571,16 +4574,16 @@ static int FixSequence(TcpInfo* tcpInfo, SnifferSession* session) &session->flags.srvSkipPartial : &session->flags.cliSkipPartial; + if (tcpInfo->ackNumber < seqStart) { + return -1; /* do not fix sequence - could be ack on unseen seq */ + } *skipPartial = 1; + if (list != NULL) *expected = list->begin; - else { - word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ? - session->srvSeqStart : session->cliSeqStart; - word32 real = tcpInfo->ackNumber - seqStart; + else + *expected = tcpInfo->ackNumber - seqStart; - *expected = real; - } return 1; } @@ -4621,8 +4624,8 @@ static int CheckSequence(IpInfo* ipInfo, TcpInfo* tcpInfo, &session->flags.cliAckFault : &session->flags.srvAckFault; - /* init SEQ from server to client */ - if (tcpInfo->syn && tcpInfo->ack) { + /* init SEQ from server to client - if not ack fault */ + if (tcpInfo->syn && tcpInfo->ack && !*ackFault) { session->srvSeqStart = tcpInfo->sequence; session->srvExpected = 1; TraceServerSyn(tcpInfo->sequence);