From 6b90d20cc90a9367a76f3a0f28afffe5ad709711 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 6 Dec 2021 09:11:09 +0100 Subject: [PATCH 1/5] ftp: fix int warnings Explicitly truncate a file name if it is longer than UINT16_MAX --- src/app-layer-ftp.c | 15 +++++++++------ src/app-layer-ftp.h | 2 +- src/util-mpm.c | 2 +- src/util-mpm.h | 2 +- 4 files changed, 12 insertions(+), 9 deletions(-) diff --git a/src/app-layer-ftp.c b/src/app-layer-ftp.c index ae1b42d5816a..ea08d80c9990 100644 --- a/src/app-layer-ftp.c +++ b/src/app-layer-ftp.c @@ -642,14 +642,18 @@ static AppLayerResult FTPParseRequest(Flow *f, void *ftp_state, * Min size has been checked in FTPParseRequestCommand * PATH_MAX includes the null */ - int file_name_len = MIN(PATH_MAX - 1, state->current_line_len - 5); + uint32_t file_name_len = MIN(PATH_MAX - 1, state->current_line_len - 5); + if (file_name_len > UINT16_MAX) { + // truncate the file name if too long for util-file.h + file_name_len = UINT16_MAX; + } data->file_name = FTPCalloc(file_name_len + 1, sizeof(char)); if (data->file_name == NULL) { FtpTransferCmdFree(data); SCReturnStruct(APP_LAYER_ERROR); } data->file_name[file_name_len] = 0; - data->file_len = file_name_len; + data->file_len = (uint16_t)file_name_len; memcpy(data->file_name, state->current_line + 5, file_name_len); data->cmd = state->command; data->flow_id = FlowGetId(f); @@ -1029,9 +1033,8 @@ static StreamingBufferConfig sbcfg = STREAMING_BUFFER_CONFIG_INITIALIZER; * \retval 1 when the command is parsed, 0 otherwise */ static AppLayerResult FTPDataParse(Flow *f, FtpDataState *ftpdata_state, - AppLayerParserState *pstate, - const uint8_t *input, uint32_t input_len, - void *local_data, int direction) + AppLayerParserState *pstate, const uint8_t *input, uint32_t input_len, void *local_data, + uint8_t direction) { uint16_t flags = FileFlowToFlags(f, direction); int ret = 0; @@ -1361,7 +1364,7 @@ uint16_t JsonGetNextLineFromBuffer(const char *buffer, const uint16_t len) } char *c = strchr(buffer, '\n'); - return c == NULL ? len : c - buffer + 1; + return c == NULL ? len : (uint16_t)(c - buffer + 1); } void EveFTPDataAddMetadata(const Flow *f, JsonBuilder *jb) diff --git a/src/app-layer-ftp.h b/src/app-layer-ftp.h index aaf09f6a1126..7232268055b8 100644 --- a/src/app-layer-ftp.h +++ b/src/app-layer-ftp.h @@ -127,7 +127,7 @@ typedef struct FtpLineState_ { typedef struct FTPString_ { uint8_t *str; - uint16_t len; + uint32_t len; TAILQ_ENTRY(FTPString_) next; } FTPString; diff --git a/src/util-mpm.c b/src/util-mpm.c index f16a940f9e49..851df27c497f 100644 --- a/src/util-mpm.c +++ b/src/util-mpm.c @@ -46,7 +46,7 @@ #endif MpmTableElmt mpm_table[MPM_TABLE_SIZE]; -int mpm_default_matcher; +uint16_t mpm_default_matcher; /** * \brief Register a new Mpm Context. diff --git a/src/util-mpm.h b/src/util-mpm.h index ae5e228c945a..e6669f614e98 100644 --- a/src/util-mpm.h +++ b/src/util-mpm.h @@ -170,7 +170,7 @@ typedef struct MpmTableElmt_ { } MpmTableElmt; extern MpmTableElmt mpm_table[MPM_TABLE_SIZE]; -extern int mpm_default_matcher; +extern uint16_t mpm_default_matcher; struct DetectEngineCtx_; From 9604c7224975aae09b0629405ef4a4b4b2736c40 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 6 Dec 2021 09:22:52 +0100 Subject: [PATCH 2/5] http: : fix int warnings Explicitly truncate file names to UINT16_MAX Before, they got implicitly truncated, meaning a UINT16_MAX + 1 file name, went to 0 file name (because of modulo 65536) --- src/app-layer-htp-file.c | 3 +-- src/app-layer-htp-range.c | 3 ++- src/app-layer-htp.c | 41 ++++++++++++++++++++++++--------------- 3 files changed, 28 insertions(+), 19 deletions(-) diff --git a/src/app-layer-htp-file.c b/src/app-layer-htp-file.c index 4051d1811c9a..83fbf0dab30d 100644 --- a/src/app-layer-htp-file.c +++ b/src/app-layer-htp-file.c @@ -227,8 +227,7 @@ int HTPFileOpenWithRange(HtpState *s, HtpTxUserData *txud, const uint8_t *filena HTTPContentRange crparsed; if (HTPParseAndCheckContentRange(rawvalue, &crparsed, s, htud) != 0) { // range is invalid, fall back to classic open - return HTPFileOpen( - s, txud, filename, (uint32_t)filename_len, data, data_len, txid, STREAM_TOCLIENT); + return HTPFileOpen(s, txud, filename, filename_len, data, data_len, txid, STREAM_TOCLIENT); } flags = FileFlowToFlags(s->f, STREAM_TOCLIENT); if ((s->flags & HTP_FLAG_STORE_FILES_TS) || diff --git a/src/app-layer-htp-range.c b/src/app-layer-htp-range.c index 24777d3f99b3..ed7d6b154059 100644 --- a/src/app-layer-htp-range.c +++ b/src/app-layer-htp-range.c @@ -163,7 +163,8 @@ void HttpRangeContainersInit(void) } } if (ConfGetValue("app-layer.protocols.http.byterange.timeout", &str) == 1) { - if (StringParseUint32(&timeout, 10, strlen(str), str) <= 0) { + size_t slen = strlen(str); + if (slen > UINT16_MAX || StringParseUint32(&timeout, 10, (uint16_t)slen, str) <= 0) { SCLogWarning(SC_ERR_INVALID_VALUE, "timeout value cannot be deduced: %s," " resetting to default", diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c index 28b10c21d3a4..e88e4cb51f6a 100644 --- a/src/app-layer-htp.c +++ b/src/app-layer-htp.c @@ -524,7 +524,7 @@ static uint32_t AppLayerHtpComputeChunkLength(uint64_t content_len_so_far, uint3 /* below error messages updated up to libhtp 0.5.7 (git 379632278b38b9a792183694a4febb9e0dbd1e7a) */ struct { const char *msg; - int de; + uint8_t de; } htp_errors[] = { { "GZip decompressor: inflateInit2 failed", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED}, { "Request field invalid: colon missing", HTTP_DECODER_EVENT_REQUEST_FIELD_MISSING_COLON}, @@ -547,7 +547,7 @@ struct { struct { const char *msg; - int de; + uint8_t de; } htp_warnings[] = { { "GZip decompressor:", HTTP_DECODER_EVENT_GZIP_DECOMPRESSION_FAILED}, { "Request field invalid", HTTP_DECODER_EVENT_REQUEST_HEADER_INVALID}, @@ -594,7 +594,7 @@ struct { * * \retval id the id or 0 in case of not found */ -static int HTPHandleWarningGetId(const char *msg) +static uint8_t HTPHandleWarningGetId(const char *msg) { SCLogDebug("received warning \"%s\"", msg); size_t idx; @@ -618,7 +618,7 @@ static int HTPHandleWarningGetId(const char *msg) * * \retval id the id or 0 in case of not found */ -static int HTPHandleErrorGetId(const char *msg) +static uint8_t HTPHandleErrorGetId(const char *msg) { SCLogDebug("received error \"%s\"", msg); @@ -675,7 +675,7 @@ static void HTPHandleError(HtpState *s, const uint8_t dir) SCLogDebug("message %s", log->msg); - int id = HTPHandleErrorGetId(log->msg); + uint8_t id = HTPHandleErrorGetId(log->msg); if (id == 0) { id = HTPHandleWarningGetId(log->msg); if (id == 0) @@ -1255,9 +1255,9 @@ static void HtpRequestBodyMultipartParseHeader(HtpState *hstate, ft_len = USHRT_MAX; *filename = fn; - *filename_len = fn_len; + *filename_len = (uint16_t)fn_len; *filetype = ft; - *filetype_len = ft_len; + *filetype_len = (uint16_t)ft_len; } /** @@ -1304,8 +1304,8 @@ static int HtpRequestBodyHandleMultipart(HtpState *hstate, HtpTxUserData *htud, { int result = 0; uint8_t boundary[htud->boundary_len + 4]; /**< size limited to HTP_BOUNDARY_MAX + 4 */ - uint32_t expected_boundary_len = htud->boundary_len + 2; - uint32_t expected_boundary_end_len = htud->boundary_len + 4; + uint16_t expected_boundary_len = htud->boundary_len + 2; + uint16_t expected_boundary_end_len = htud->boundary_len + 4; int tx_progress = 0; #ifdef PRINT @@ -1434,7 +1434,7 @@ static int HtpRequestBodyHandleMultipart(HtpState *hstate, HtpTxUserData *htud, /* skip empty records */ if (expected_boundary_len == header_len) { goto next; - } else if ((expected_boundary_len + 2) <= header_len) { + } else if ((uint32_t)(expected_boundary_len + 2) <= header_len) { header_len -= (expected_boundary_len + 2); header = (uint8_t *)header_start + (expected_boundary_len + 2); // + for 0d 0a } @@ -1536,7 +1536,7 @@ static int HtpRequestBodyHandleMultipart(HtpState *hstate, HtpTxUserData *htud, SCLogDebug("offset %u", offset); htud->request_body.body_parsed += offset; - if (filedata_len >= (expected_boundary_len + 2)) { + if (filedata_len >= (uint32_t)(expected_boundary_len + 2)) { filedata_len -= (expected_boundary_len + 2 - 1); SCLogDebug("opening file with partial data"); } else { @@ -1630,7 +1630,11 @@ static int HtpRequestBodyHandlePOSTorPUT(HtpState *hstate, HtpTxUserData *htud, } if (filename != NULL) { - result = HTPFileOpen(hstate, htud, filename, (uint32_t)filename_len, data, data_len, + if (filename_len > UINT16_MAX) { + // explicitly truncate the file name if too long + filename_len = UINT16_MAX; + } + result = HTPFileOpen(hstate, htud, filename, (uint16_t)filename_len, data, data_len, HtpGetActiveRequestTxID(hstate), STREAM_TOSERVER); if (result == -1) { goto end; @@ -1703,11 +1707,15 @@ static int HtpResponseBodyHandle(HtpState *hstate, HtpTxUserData *htud, if (filename != NULL) { // set range if present htp_header_t *h_content_range = htp_table_get_c(tx->response_headers, "content-range"); + if (filename_len > UINT16_MAX) { + // explicitly truncate the file name if too long + filename_len = UINT16_MAX; + } if (h_content_range != NULL) { - result = HTPFileOpenWithRange(hstate, htud, filename, (uint32_t)filename_len, data, + result = HTPFileOpenWithRange(hstate, htud, filename, (uint16_t)filename_len, data, data_len, HtpGetActiveResponseTxID(hstate), h_content_range->value, htud); } else { - result = HTPFileOpen(hstate, htud, filename, (uint32_t)filename_len, data, data_len, + result = HTPFileOpen(hstate, htud, filename, (uint16_t)filename_len, data, data_len, HtpGetActiveResponseTxID(hstate), STREAM_TOCLIENT); } SCLogDebug("result %d", result); @@ -3025,7 +3033,7 @@ static int HTPRegisterPatternsForProtocolDetection(void) * but the pattern matching should only be one char */ register_result = AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_HTTP1, - method_buffer, strlen(method_buffer) - 3, 0, STREAM_TOSERVER); + method_buffer, (uint16_t)strlen(method_buffer) - 3, 0, STREAM_TOSERVER); if (register_result < 0) { return -1; } @@ -3035,7 +3043,8 @@ static int HTPRegisterPatternsForProtocolDetection(void) /* Loop through all the http verions patterns that are TO_CLIENT */ for (versions_pos = 0; versions[versions_pos]; versions_pos++) { register_result = AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_HTTP1, - versions[versions_pos], strlen(versions[versions_pos]), 0, STREAM_TOCLIENT); + versions[versions_pos], (uint16_t)strlen(versions[versions_pos]), 0, + STREAM_TOCLIENT); if (register_result < 0) { return -1; } From 05335e4b92ac24a05624a46236a7b6bbba393298 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 6 Dec 2021 09:26:54 +0100 Subject: [PATCH 3/5] app: fix int warnings in generic app files --- src/app-layer-parser.c | 4 ++-- src/app-layer-register.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c index af5ca0726f73..19da8561b997 100644 --- a/src/app-layer-parser.c +++ b/src/app-layer-parser.c @@ -249,7 +249,7 @@ AppLayerParserThreadCtx *AppLayerParserThreadCtxAlloc(void) SCEnter(); AppProto alproto = 0; - int flow_proto = 0; + uint8_t flow_proto = 0; AppLayerParserThreadCtx *tctx; tctx = SCMalloc(sizeof(*tctx)); @@ -275,7 +275,7 @@ void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx) SCEnter(); AppProto alproto = 0; - int flow_proto = 0; + uint8_t flow_proto = 0; for (flow_proto = 0; flow_proto < FLOW_PROTO_DEFAULT; flow_proto++) { for (alproto = 0; alproto < ALPROTO_MAX; alproto++) { diff --git a/src/app-layer-register.h b/src/app-layer-register.h index b470761c3508..90b3402b623d 100644 --- a/src/app-layer-register.h +++ b/src/app-layer-register.h @@ -27,7 +27,7 @@ typedef struct AppLayerParser { const char *name; const char *default_port; - int ip_proto; + uint8_t ip_proto; ProbingParserFPtr ProbeTS; ProbingParserFPtr ProbeTC; From 3961d54fbcb31f8f950f116ed6b0961d47556490 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 6 Dec 2021 09:36:14 +0100 Subject: [PATCH 4/5] smtp: fix int warnings and explicitly truncating filename's length --- src/app-layer-smtp.c | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c index f2a809bf3669..8d703c236630 100644 --- a/src/app-layer-smtp.c +++ b/src/app-layer-smtp.c @@ -457,9 +457,12 @@ int SMTPProcessDataChunk(const uint8_t *chunk, uint32_t len, SCLogDebug("StreamTcpReassemblySetMinInspectDepth STREAM_TOSERVER %"PRIu32, depth); StreamTcpReassemblySetMinInspectDepth(flow->protoctx, STREAM_TOSERVER, depth); + uint16_t flen = (uint16_t)entity->filename_len; + if (entity->filename_len > UINT16_MAX) { + flen = UINT16_MAX; + } if (FileOpenFileWithId(files, &smtp_config.sbcfg, smtp_state->file_track_id++, - (uint8_t *) entity->filename, entity->filename_len, - (uint8_t *) chunk, len, flags) != 0) { + (uint8_t *)entity->filename, flen, (uint8_t *)chunk, len, flags) != 0) { ret = MIME_DEC_ERR_DATA; SCLogDebug("FileOpenFile() failed"); } @@ -1154,7 +1157,11 @@ static int SMTPParseCommandWithParam(SMTPState *state, uint8_t prefix_len, uint8 return -1; memcpy(*target, state->current_line + i, spc_i - i); (*target)[spc_i - i] = '\0'; - *target_len = spc_i - i; + if (spc_i - i > UINT16_MAX) { + *target_len = UINT16_MAX; + } else { + *target_len = (uint16_t)(spc_i - i); + } return 0; } @@ -1215,6 +1222,9 @@ static int NoNewTx(SMTPState *state) return 0; } +/* XXX have a better name */ +#define rawmsgname "rawmsg" + static int SMTPProcessRequest(SMTPState *state, Flow *f, AppLayerParserState *pstate) { @@ -1255,7 +1265,6 @@ static int SMTPProcessRequest(SMTPState *state, Flow *f, SCMemcmpLowercase("data", state->current_line, 4) == 0) { state->current_command = SMTP_COMMAND_DATA; if (smtp_config.raw_extraction) { - const char *msgname = "rawmsg"; /* XXX have a better name */ if (state->files_ts == NULL) state->files_ts = FileContainerAlloc(); if (state->files_ts == NULL) { @@ -1272,10 +1281,9 @@ static int SMTPProcessRequest(SMTPState *state, Flow *f, TAILQ_INSERT_TAIL(&state->tx_list, tx, next); tx->tx_id = state->tx_cnt++; } - if (FileOpenFileWithId(state->files_ts, &smtp_config.sbcfg, - state->file_track_id++, - (uint8_t*) msgname, strlen(msgname), NULL, 0, - FILE_NOMD5|FILE_NOMAGIC|FILE_USE_DETECT) == 0) { + if (FileOpenFileWithId(state->files_ts, &smtp_config.sbcfg, state->file_track_id++, + (uint8_t *)rawmsgname, strlen(rawmsgname), NULL, 0, + FILE_NOMD5 | FILE_NOMAGIC | FILE_USE_DETECT) == 0) { SMTPNewFile(state->curr_tx, state->files_ts->tail); } } else if (smtp_config.decode_mime) { @@ -1378,10 +1386,9 @@ static int SMTPProcessRequest(SMTPState *state, Flow *f, } } -static AppLayerResult SMTPParse(int direction, Flow *f, SMTPState *state, - AppLayerParserState *pstate, const uint8_t *input, - uint32_t input_len, - SMTPThreadCtx *thread_data) +static AppLayerResult SMTPParse(uint8_t direction, Flow *f, SMTPState *state, + AppLayerParserState *pstate, const uint8_t *input, uint32_t input_len, + SMTPThreadCtx *thread_data) { SCEnter(); From 5e3f3c03f5e0ecf3c5d89dda290dd2a47e5a04f4 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 6 Dec 2021 09:44:12 +0100 Subject: [PATCH 5/5] ssl: fix int warnings especially increasing padding_len size --- src/app-layer-ssl.c | 36 +++++++++++++++++------------------- src/app-layer-ssl.h | 2 +- 2 files changed, 18 insertions(+), 20 deletions(-) diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index 3fa5bb0550a7..81ad8b80d3af 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -621,7 +621,7 @@ static inline int TLSDecodeHSHelloVersion(SSLState *ssl_state, return -1; } - uint16_t version = *input << 8 | *(input + 1); + uint16_t version = (uint16_t)(*input << 8) | *(input + 1); ssl_state->curr_connp->version = version; /* TLSv1.3 draft1 to draft21 use the version field as earlier TLS @@ -745,7 +745,7 @@ static inline int TLSDecodeHSHelloCipherSuites(SSLState *ssl_state, if (ssl_state->current_flags & SSL_AL_FLAG_STATE_SERVER_HELLO) { cipher_suites_length = 2; } else if (ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) { - cipher_suites_length = *input << 8 | *(input + 1); + cipher_suites_length = (uint16_t)(*input << 8) | *(input + 1); input += 2; } else { return -1; @@ -773,7 +773,7 @@ static inline int TLSDecodeHSHelloCipherSuites(SSLState *ssl_state, goto invalid_length; } - uint16_t cipher_suite = *input << 8 | *(input + 1); + uint16_t cipher_suite = (uint16_t)(*input << 8) | *(input + 1); input += 2; if (TLSDecodeValueIsGREASE(cipher_suite) != 1) { @@ -871,7 +871,7 @@ static inline int TLSDecodeHSHelloExtensionSni(SSLState *ssl_state, if (!(HAS_SPACE(2))) goto invalid_length; - uint16_t sni_len = *input << 8 | *(input + 1); + uint16_t sni_len = (uint16_t)(*input << 8) | *(input + 1); input += 2; /* host_name contains the fully qualified domain name, @@ -944,7 +944,7 @@ static inline int TLSDecodeHSHelloExtensionSupportedVersions(SSLState *ssl_state goto invalid_length; /* Use the first (and prefered) version as client version */ - ssl_state->curr_connp->version = *input << 8 | *(input + 1); + ssl_state->curr_connp->version = (uint16_t)(*input << 8) | *(input + 1); /* Set a flag to indicate that we have seen this extension */ ssl_state->flags |= SSL_AL_FLAG_CH_VERSION_EXTENSION; @@ -955,7 +955,7 @@ static inline int TLSDecodeHSHelloExtensionSupportedVersions(SSLState *ssl_state if (!(HAS_SPACE(2))) goto invalid_length; - uint16_t ver = *input << 8 | *(input + 1); + uint16_t ver = (uint16_t)(*input << 8) | *(input + 1); if ((ssl_state->flags & SSL_AL_FLAG_CH_VERSION_EXTENSION) && (ver > TLS_VERSION_12)) { @@ -990,7 +990,7 @@ static inline int TLSDecodeHSHelloExtensionEllipticCurves(SSLState *ssl_state, if (!(HAS_SPACE(2))) goto invalid_length; - uint16_t elliptic_curves_len = *input << 8 | *(input + 1); + uint16_t elliptic_curves_len = (uint16_t)(*input << 8) | *(input + 1); input += 2; if (!(HAS_SPACE(elliptic_curves_len))) @@ -1005,7 +1005,7 @@ static inline int TLSDecodeHSHelloExtensionEllipticCurves(SSLState *ssl_state, if (!(HAS_SPACE(2))) goto invalid_length; - uint16_t elliptic_curve = *input << 8 | *(input + 1); + uint16_t elliptic_curve = (uint16_t)(*input << 8) | *(input + 1); input += 2; if (TLSDecodeValueIsGREASE(elliptic_curve) != 1) { @@ -1121,7 +1121,7 @@ static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state, if (!(HAS_SPACE(2))) goto end; - uint16_t extensions_len = *input << 8 | *(input + 1); + uint16_t extensions_len = (uint16_t)(*input << 8) | *(input + 1); input += 2; if (!(HAS_SPACE(extensions_len))) @@ -1134,13 +1134,13 @@ static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state, if (!(HAS_SPACE(2))) goto invalid_length; - uint16_t ext_type = *input << 8 | *(input + 1); + uint16_t ext_type = (uint16_t)(*input << 8) | *(input + 1); input += 2; if (!(HAS_SPACE(2))) goto invalid_length; - uint16_t ext_len = *input << 8 | *(input + 1); + uint16_t ext_len = (uint16_t)(*input << 8) | *(input + 1); input += 2; if (!(HAS_SPACE(ext_len))) @@ -1708,7 +1708,7 @@ static int SSLv3ParseHeartbeatProtocol(SSLState *ssl_state, const uint8_t *input { uint8_t hb_type; uint16_t payload_len; - uint16_t padding_len; + uint32_t padding_len; /* expect at least 3 bytes: heartbeat type (1) + length (2) */ if (input_len < 3) { @@ -1744,8 +1744,7 @@ static int SSLv3ParseHeartbeatProtocol(SSLState *ssl_state, const uint8_t *input return (ssl_state->curr_connp->record_length - 3); } - payload_len = (*input++) << 8; - payload_len |= (*input++); + payload_len = (uint16_t)(*input << 8) | *(input + 1); /* check that the requested payload length is really present in the record (CVE-2014-0160) */ @@ -1846,8 +1845,7 @@ static int SSLv3ParseRecord(uint8_t direction, SSLState *ssl_state, if (input_len >= 5) { ssl_state->curr_connp->content_type = input[0]; if (!skip_version) { - ssl_state->curr_connp->version = input[1] << 8; - ssl_state->curr_connp->version |= input[2]; + ssl_state->curr_connp->version = (uint16_t)(input[1] << 8) | input[2]; } ssl_state->curr_connp->record_length = input[3] << 8; ssl_state->curr_connp->record_length |= input[4]; @@ -1862,7 +1860,7 @@ static int SSLv3ParseRecord(uint8_t direction, SSLState *ssl_state, /* fall through */ case 1: if (!skip_version) { - ssl_state->curr_connp->version = *(input++) << 8; + ssl_state->curr_connp->version = (uint16_t)(*(input++) << 8); } else { input++; } @@ -2046,7 +2044,7 @@ static int SSLv2Decode(uint8_t direction, SSLState *ssl_state, switch (ssl_state->curr_connp->bytes_processed) { case 4: if (input_len >= 6) { - uint16_t session_id_length = input[5] | (input[4] << 8); + uint16_t session_id_length = (input[5]) | (uint16_t)(input[4] << 8); input += 6; input_len -= 6; ssl_state->curr_connp->bytes_processed += 6; @@ -2102,7 +2100,7 @@ static int SSLv2Decode(uint8_t direction, SSLState *ssl_state, switch (ssl_state->curr_connp->bytes_processed) { case 3: if (input_len >= 6) { - uint16_t session_id_length = input[5] | (input[4] << 8); + uint16_t session_id_length = (input[5]) | (uint16_t)(input[4] << 8); input += 6; input_len -= 6; ssl_state->curr_connp->bytes_processed += 6; diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h index f5ded77ac413..becc5c3def29 100644 --- a/src/app-layer-ssl.h +++ b/src/app-layer-ssl.h @@ -239,7 +239,7 @@ typedef struct SSLState_ { uint32_t flags; /* there might be a better place to store this*/ - uint16_t hb_record_len; + uint32_t hb_record_len; uint16_t events;