Fix incorrect UDP data length when UDP packet shorter than minimum et…

…hernet packet length (arkime#2791) * Fix incorrect UDP data length * Add a MIN call to prevent buffer overflow
mmguero-dev · May 16, 2024 · b17c5ac · b17c5ac
1 parent f7cbe1f
commit b17c5ac
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 2 deletions.
diff --git a/capture/parsers/udp.c b/capture/parsers/udp.c
@@ -61,15 +61,21 @@ int udp_pre_process(ArkimeSession_t *session, ArkimePacket_t *const packet, int
     packet->direction = (dir &&
                          session->port1 == ntohs(udphdr->uh_sport) &&
                          session->port2 == ntohs(udphdr->uh_dport)) ? 0 : 1;
-    session->databytes[packet->direction] += (packet->pktlen - packet->payloadOffset - 8);
+    session->databytes[packet->direction] += MIN(
+        ntohs(udphdr->uh_ulen) - 8,
+        (packet->pktlen - packet->payloadOffset - 8)
+    );
 
     return 0;
 }
 /******************************************************************************/
 int udp_process(ArkimeSession_t *session, ArkimePacket_t *const packet)
 {
     const uint8_t *data = packet->pkt + packet->payloadOffset + 8;
-    int            len = packet->payloadLen - 8;
+    uint16_t        len = MIN(
+        (packet->pkt[packet->payloadOffset + 4] << 8 | packet->pkt[packet->payloadOffset + 5]) - 8,
+        packet->payloadLen - 8
+    );
 
     if (len <= 0)
         return 1;

diff --git a/tests/pcap/padded-udp.pcap b/tests/pcap/padded-udp.pcap
diff --git a/tests/pcap/padded-udp.test b/tests/pcap/padded-udp.test
@@ -0,0 +1,80 @@
+{
+   "sessions3" : [
+      {
+         "body" : {
+            "@timestamp" : "SET",
+            "client" : {
+               "bytes" : 1
+            },
+            "destination" : {
+               "bytes" : 0,
+               "geo" : {
+                  "country_iso_code" : "RU"
+               },
+               "ip" : "1.2.3.4",
+               "mac" : [
+                  "fe:dc:ba:98:76:54"
+               ],
+               "mac-cnt" : 1,
+               "packets" : 0,
+               "port" : 12345
+            },
+            "dstRIR" : "APNIC",
+            "fileId" : [],
+            "firstPacket" : 1715858838018,
+            "ipProtocol" : 17,
+            "lastPacket" : 1715858838018,
+            "length" : 0,
+            "network" : {
+               "bytes" : 60,
+               "community_id" : "1:8qMDOtieYDvO6jsAKvncvGwV0F8=",
+               "packets" : 1
+            },
+            "node" : "test",
+            "packetLen" : [
+               76
+            ],
+            "packetPos" : [
+               24
+            ],
+            "protocol" : [
+               "udp"
+            ],
+            "protocolCnt" : 1,
+            "segmentCnt" : 1,
+            "server" : {
+               "bytes" : 0
+            },
+            "source" : {
+               "as" : {
+                  "full" : "AS6805 Telefonica Germany",
+                  "number" : 6805,
+                  "organization" : {
+                     "name" : "Telefonica Germany"
+                  }
+               },
+               "bytes" : 60,
+               "geo" : {
+                  "country_iso_code" : "DE"
+               },
+               "ip" : "5.6.7.8",
+               "mac" : [
+                  "01:23:45:67:89:ab"
+               ],
+               "mac-cnt" : 1,
+               "packets" : 1,
+               "port" : 43444
+            },
+            "srcPayload8" : "31",
+            "srcRIR" : "RIPE",
+            "totDataBytes" : 1
+         },
+         "header" : {
+            "index" : {
+               "_index" : "tests_sessions3-240516"
+            }
+         }
+      }
+   ]
+}
+