Fix for the SMTP dissector DoS See: http://www.securityfocus.com/archive/1/498562/30/0/threaded Obtained from: http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-smtp.c?r1=24989&r2=24988&pathrev=24989&view=patch Obtained from: http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-smtp.c?r1=24994&r2=24993&pathrev=24994&view=patch --- epan/dissectors/packet-smtp.c 2008/04/13 16:21:22 24988 +++ epan/dissectors/packet-smtp.c 2008/04/13 16:33:44 24989 @@ -97,10 +97,6 @@ "DATA fragments" }; -/* Define media_type/Content type table */ -static dissector_table_t media_type_dissector_table; - - static dissector_handle_t imf_handle = NULL; /* @@ -175,6 +171,7 @@ gint length_remaining; gboolean eom_seen = FALSE; gint next_offset; + gint loffset; gboolean is_continuation_line; int cmdlen; fragment_data *frag_msg = NULL; @@ -217,21 +214,6 @@ * longer than what's in the buffer, so the "tvb_get_ptr()" call * won't throw an exception. */ - linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, - smtp_desegment && pinfo->can_desegment); - if (linelen == -1) { - /* - * We didn't find a line ending, and we're doing desegmentation; - * tell the TCP dissector where the data for this message starts - * in the data it handed us, and tell it we need one more byte - * (we may need more, but we'll try again if what we get next - * isn't enough), and return. - */ - pinfo->desegment_offset = offset; - pinfo->desegment_len = 1; - return; - } - line = tvb_get_ptr(tvb, offset, linelen); frame_data = p_get_proto_data(pinfo->fd, proto_smtp); @@ -267,6 +249,42 @@ } + if(request) { + frame_data = se_alloc(sizeof(struct smtp_proto_data)); + + frame_data->conversation_id = conversation->index; + frame_data->more_frags = TRUE; + + p_add_proto_data(pinfo->fd, proto_smtp, frame_data); + + } + + loffset = offset; + while (tvb_offset_exists(tvb, loffset)) { + + linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, + smtp_desegment && pinfo->can_desegment); + if (linelen == -1) { + + if(offset == loffset) { + /* + * We didn't find a line ending, and we're doing desegmentation; + * tell the TCP dissector where the data for this message starts + * in the data it handed us, and tell it we need one more byte + * (we may need more, but we'll try again if what we get next + * isn't enough), and return. + */ + pinfo->desegment_offset = loffset; + pinfo->desegment_len = 1; + return; + } + else { + linelen = tvb_length_remaining(tvb, loffset); + next_offset = loffset + linelen; + } + } + line = tvb_get_ptr(tvb, loffset, linelen); + /* * Check whether or not this packet is an end of message packet * We should look for CRLF.CRLF and they may be split. @@ -282,16 +300,16 @@ * .CRLF at the begining of the same packet. */ - if ((request_val->crlf_seen && tvb_strneql(tvb, offset, ".\r\n", 3) == 0) || - tvb_strneql(tvb, offset, "\r\n.\r\n", 5) == 0) { + if ((request_val->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0) || + tvb_strneql(tvb, loffset, "\r\n.\r\n", 5) == 0) { eom_seen = TRUE; - } + } - length_remaining = tvb_length_remaining(tvb, offset); - if (length_remaining == tvb_reported_length_remaining(tvb, offset) && - tvb_strneql(tvb, offset + length_remaining - 2, "\r\n", 2) == 0) { + length_remaining = tvb_length_remaining(tvb, loffset); + if (length_remaining == tvb_reported_length_remaining(tvb, loffset) && + tvb_strneql(tvb, loffset + length_remaining - 2, "\r\n", 2) == 0) { request_val->crlf_seen = TRUE; @@ -310,11 +328,6 @@ if (request) { - frame_data = se_alloc(sizeof(struct smtp_proto_data)); - - frame_data->conversation_id = conversation->index; - frame_data->more_frags = TRUE; - if (request_val->reading_data) { /* * This is message data. @@ -329,6 +342,9 @@ */ frame_data->pdu_type = SMTP_PDU_EOM; request_val->reading_data = FALSE; + + break; + } else { /* * Message data with no EOM. @@ -340,7 +356,7 @@ * We are handling a BDAT message. * Check if we have reached end of the data chunk. */ - request_val->msg_read_len += tvb_length_remaining(tvb, offset); + request_val->msg_read_len += tvb_length_remaining(tvb, loffset); if (request_val->msg_read_len == request_val->msg_tot_len) { /* @@ -356,6 +372,8 @@ */ frame_data->more_frags = FALSE; } + + break; /* no need to go through the remaining lines */ } } } @@ -446,12 +464,15 @@ frame_data->pdu_type = request_val->data_seen ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD; } - } + } - p_add_proto_data(pinfo->fd, proto_smtp, frame_data); + /* + * Step past this line. + */ + loffset = next_offset; - } + } } /* @@ -463,6 +484,7 @@ col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP"); if (check_col(pinfo->cinfo, COL_INFO)) { /* Add the appropriate type here */ + col_clear(pinfo->cinfo, COL_INFO); /* * If it is a request, we have to look things up, otherwise, just @@ -477,21 +499,38 @@ case SMTP_PDU_MESSAGE: length_remaining = tvb_length_remaining(tvb, offset); - col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "DATA fragment" : "Message Body"); + col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "C: DATA fragment" : "C: Message Body"); col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining, plurality (length_remaining, "", "s")); break; case SMTP_PDU_EOM: - col_add_fstr(pinfo->cinfo, COL_INFO, "EOM: %s", - format_text(line, linelen)); + col_set_str(pinfo->cinfo, COL_INFO, "C: ."); + break; case SMTP_PDU_CMD: - col_add_fstr(pinfo->cinfo, COL_INFO, "Command: %s", - format_text(line, linelen)); + loffset = offset; + while (tvb_offset_exists(tvb, loffset)) { + /* + * Find the end of the line. + */ + linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE); + line = tvb_get_ptr(tvb, loffset, linelen); + + if(loffset == offset) + col_append_fstr(pinfo->cinfo, COL_INFO, "C: %s", + format_text(line, linelen)); + else { + col_append_fstr(pinfo->cinfo, COL_INFO, " | %s", + format_text(line, linelen)); + } + + loffset = next_offset; + + } break; } @@ -499,9 +538,24 @@ } else { - col_add_fstr(pinfo->cinfo, COL_INFO, "Response: %s", - format_text(line, linelen)); + loffset = offset; + while (tvb_offset_exists(tvb, loffset)) { + /* + * Find the end of the line. + */ + linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE); + line = tvb_get_ptr(tvb, loffset, linelen); + + if(loffset == offset) + col_append_fstr(pinfo->cinfo, COL_INFO, "S: %s", + format_text(line, linelen)); + else { + col_append_fstr(pinfo->cinfo, COL_INFO, " | %s", + format_text(line, linelen)); + } + loffset = next_offset; + } } } @@ -556,8 +610,7 @@ * DATA command this terminates before sending another * request, but we should probably handle it. */ - proto_tree_add_text(smtp_tree, tvb, offset, linelen, - "EOM: %s", format_text(line, linelen)); + proto_tree_add_text(smtp_tree, tvb, offset, linelen, "C: ."); if(smtp_data_desegment) { @@ -578,6 +631,15 @@ * previous command before sending another request, but we * should probably handle it. */ + + loffset = offset; + while (tvb_offset_exists(tvb, loffset)) { + + /* + * Find the end of the line. + */ + linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE); + if (linelen >= 4) cmdlen = 4; else @@ -587,16 +649,16 @@ /* * Put the command line into the protocol tree. */ - ti = proto_tree_add_text(smtp_tree, tvb, offset, next_offset - offset, + ti = proto_tree_add_text(smtp_tree, tvb, loffset, next_offset - loffset, "Command: %s", - tvb_format_text(tvb, offset, next_offset - offset)); + tvb_format_text(tvb, loffset, next_offset - loffset)); cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp); proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb, - offset, cmdlen, FALSE); + loffset, cmdlen, FALSE); if (linelen > 5) { proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb, - offset + 5, linelen - 5, FALSE); + loffset + 5, linelen - 5, FALSE); } if (smtp_data_desegment && !frame_data->more_frags) { @@ -605,6 +667,13 @@ frag_msg = fragment_end_seq_next (pinfo, frame_data->conversation_id, smtp_data_segment_table, smtp_data_reassembled_table); } + + /* + * Step past this line. + */ + loffset = next_offset; + + } } if (smtp_data_desegment) { @@ -689,8 +758,8 @@ /* * If it's not a continuation line, quit. */ - if (!is_continuation_line) - break; + /* if (!is_continuation_line) + break; */ } @@ -771,7 +840,6 @@ }; module_t *smtp_module; - proto_smtp = proto_register_protocol("Simple Mail Transfer Protocol", "SMTP", "smtp"); @@ -808,11 +876,6 @@ dissector_add("tcp.port", TCP_PORT_SMTP, smtp_handle); dissector_add("tcp.port", TCP_PORT_SUBMISSION, smtp_handle); - /* - * Get the content type and Internet media type table - */ - media_type_dissector_table = find_dissector_table("media_type"); - /* find the IMF dissector */ imf_handle = find_dissector("imf"); --- epan/dissectors/packet-smtp.c 2008/04/13 16:55:56 24993 +++ epan/dissectors/packet-smtp.c 2008/04/13 16:58:57 24994 @@ -167,7 +167,7 @@ struct smtp_request_val *request_val; const guchar *line; guint32 code; - int linelen; + int linelen = 0; gint length_remaining; gboolean eom_seen = FALSE; gint next_offset;