[Bro-Dev] [JIRA] (BIT-348) Reassembler integer overflow issues. Data not delivered after 2GB

Fri, 07 Mar 2014 11:43:16 -0800 

     [ 
https://bro-tracker.atlassian.net/browse/BIT-348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-348:
--------------------------------

    Assignee: Bernhard Amann

> Reassembler integer overflow issues. Data not delivered after 2GB
> -----------------------------------------------------------------
>
>                 Key: BIT-348
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-348
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: gregor
>            Assignee: Bernhard Amann
>            Priority: High
>              Labels: inttypes
>             Fix For: 2.3
>
>
> {noformat}
> #!rst
> The TCP Reassembler does not deliver any data to analyzers after the first 
> 2GB due to signed integer overflow (Actually it will deliver again between 
> 4--6GB, etc.) This happens silently, i.e., without content_gap events or 
> Undelivered calls. 
> This report superseded BIT-315, BIT-137
> The TCP Reassembler (and Reassem) base class use ``int`` to keep track of 
> sequence numbers and ``seq_delta`` to check for differences. If a connection 
> exceeds 2GB, the relative sequence numbers (int) used by the Reassembler 
> become negative. While many parts of the Reassembler still work (because 
> seq_delta still reports the correct difference) some parts do not. In 
> particular ``seq_to_skip`` is broken (and fails silently). There might well 
> be other parts of the Reassembler that fail 
> silently as well, that I haven't found yet. 
> See Comments in TCP_Reassembler.cc for more details. 
> The Reassembler should use int64. However this will require deep changes to 
> the Reassembler and the TCP Analyzer and TCP_Endpoint classes (since we also 
> store sequence numbers there). Also, the analyzer framework will need tweaks 
> as well (e.g., Undelivered uses ``int`` for sequence numbers, also has to go 
> to 64 bit)
> As a hotfix that seems to work I disabled the ``seq_to_skip`` features. It 
> wasn't used by any analyzer or policy script (Note, that seq_to_skip is 
> different from skip_deliveries). Hotfix is in 
> topic/gregor/reassembler-hotfix
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2-OD-10-004-WN#6253)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to