hipercontracer: don't consume LDAP/SASL/KRB_TOKEN_CFX_WRAP messages
See the capture in #9398 for an example. Signed-off-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
parent
33c9657365
commit
4d6941caa6
|
@ -61,16 +61,43 @@ heur_dissect_hipercontracer(tvbuff_t *message_tvb, packet_info *pinfo, proto_tre
|
|||
if (length < 16)
|
||||
return FALSE;
|
||||
|
||||
const guint32 magic = tvb_get_ntohl(message_tvb, 0);
|
||||
|
||||
// Send TTL cannot be < 1
|
||||
const guint8 sendTTL = tvb_get_guint8(message_tvb, 4);
|
||||
if (sendTTL < 1)
|
||||
return FALSE;
|
||||
|
||||
const guint8 round = tvb_get_guint8(message_tvb, 5);
|
||||
|
||||
const guint16 checksumTweak = tvb_get_ntohs(message_tvb, 6);
|
||||
|
||||
guint64 sendTimeStamp = tvb_get_ntoh64(message_tvb, 8);
|
||||
|
||||
/*
|
||||
* Don't dissect a SASL ldap message, which starts with the
|
||||
* first 12 bytes like this:
|
||||
*
|
||||
* Length: 00000091 (very, very unlikely larger than 24bits).
|
||||
* Magic: 0504 (KRB_TOKEN_CFX_WRAP)
|
||||
* Flags: 04 (0x01, 0x02, 0x04 are defined)
|
||||
* Filler: ff
|
||||
* EC: 000c
|
||||
* RRC: 0000 or 000c
|
||||
*/
|
||||
if ((magic & 0xff000000) == 0 &&
|
||||
(magic & 0x00ffffff) != 0 &&
|
||||
sendTTL == 0x05 &&
|
||||
round == 0x04 &&
|
||||
(checksumTweak & 0xf8ff) == 0x00ff &&
|
||||
(sendTimeStamp & G_GUINT64_CONSTANT(0xff00ff0000000000)) == 0)
|
||||
return FALSE;
|
||||
|
||||
// Check for plausible send time stamp:
|
||||
// * After: 01.01.2016 00:00:00.000000
|
||||
// * Before: 31.12.2099 23:59.59.999999
|
||||
// Time stamp is microseconds since 29.09.1976 00:00:00.000000.
|
||||
const guint64 sendTimeStamp = tvb_get_ntoh64(message_tvb, 8) + G_GUINT64_CONSTANT(212803200000000);
|
||||
sendTimeStamp += G_GUINT64_CONSTANT(212803200000000);
|
||||
if ( (sendTimeStamp < G_GUINT64_CONSTANT(1451602800000000)) ||
|
||||
(sendTimeStamp > G_GUINT64_CONSTANT(4102441199999999)) )
|
||||
return FALSE;
|
||||
|
|
Loading…
Reference in New Issue