Topic: Sniffer bugs

Hi there,

There appears to be some bugs in the sniffer.c file - is this the right place to report it?

-------------------------------- src/sniffer.c --------------------------------
index 80b9068..12714ef 100644
@@ -1905,7 +1905,7 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo,
     if ( (length = ssl->buffers.inputBuffer.length) ) {
         Trace(PARTIAL_ADD_STR);
         
-        if ( (*sslBytes + length) > sizeof(ssl->buffers.inputBuffer.buffer)) {
+        if ( (*sslBytes + length) > ssl->buffers.inputBuffer.bufferSize) {
             SetError(BUFFER_ERROR_STR, error, session, FATAL_ERROR_STATE);
             return -1;
         }
@@ -2010,7 +2010,7 @@ doMessage:
         
         /* store partial if not there already or we advanced */
         if (ssl->buffers.inputBuffer.length == 0 || sslBegin != sslFrame) {
-            if (sslBytes > sizeof(ssl->buffers.inputBuffer.buffer)) {
+            if (sslBytes > ssl->buffers.inputBuffer.bufferSize) {
                 SetError(BUFFER_ERROR_STR, error, session, FATAL_ERROR_STATE);
                 return -1;
             }

Share

Re: Sniffer bugs

Hi,

Thanks for the bug submission, we've made the fix and checked it in. Bugs can either be submitted here in our forums or by opening a GitHub issue on our wolfSSL GitHub project page (https://github.com/wolfSSL/wolfssl).

What project are you working on?

Regards,
Chris

3 (edited by nerd2 2011-03-02 11:28:11)

Re: Sniffer bugs

Hi there,

Thanks for fixing that so quickly. I'm doing a uni project on SSL/TLS parsing using your embedded SSL library, and your SSLsniffer came up.

I'm also confused by this code

static const byte* DecryptMessage(SSL* ssl, const byte* input, word32 sz,
                                  byte* output)
{
    Decrypt(ssl, output, input, sz);
    ssl->keys.encryptSz = sz;
    if (ssl->options.tls1_1 && ssl->specs.cipher_type == block)
        return output + ssl->specs.block_size; /* go past TLSv1.1 IV */
    
    return output;
}
    if (session->flags.side == SERVER_END && session->flags.serverCipherOn)
        sslFrame = DecryptMessage(ssl, sslFrame, rhSize,
                                  ssl->buffers.outputBuffer.buffer);
    else if (session->flags.side == CLIENT_END && session->flags.clientCipherOn)
        sslFrame = DecryptMessage(ssl, sslFrame, rhSize,
                                  ssl->buffers.outputBuffer.buffer);

This code seems to take the "return output;" from DecryptMessage and store it in "sslFrame", which I thought was the input buffer. Can you explain this bit?

Thanks loads,
Sam

Share

Re: Sniffer bugs

Sam,

Glad to hear that you found our SSL sniffer to use with your project!

sslFrame is the input pointer. This means that it points to the input frame, whether that be the original data or a decoded frame.  To the end consumer of the input, it doesn't matter if sslFrame is pointing to the original data or decoded data. 

In the code you referenced above, the encrypted data can't be used as input, so it is decrypted by the "DecryptMessage()" function and stored into the output buffer.  After this, sslFrame is re-pointed to the output buffer (our decrypted data).

Does this help?

- Chris

Re: Sniffer bugs

chrisc wrote:

In the code you referenced above, the encrypted data can't be used as input, so it is decrypted by the "DecryptMessage()" function and stored into the output buffer.  After this, sslFrame is re-pointed to the output buffer (our decrypted data).

Hi Chris,

That's going to cause a problem if some of the later code does something like memcpy(data, sslFrame, s), right? Do we just have to write the rest of the code with that in mind?

Cheers

Share

Re: Sniffer bugs

Sam,

Would you mind explaining a little more?

Thanks,
Chris