suricata
util-file-swf-decompression.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /** \file
19  *
20  * \author Giuseppe Longo <giuseppe@glongo.it>
21  *
22  */
23 
24 
25 #include "suricata.h"
26 #include "suricata-common.h"
27 
28 #include "app-layer-htp.h"
29 
32 #include "util-misc.h"
33 #include "util-print.h"
34 #include "util-validate.h"
35 
36 #include "rust.h"
37 
38 #include <zlib.h>
39 
40 #define MAX_SWF_DECOMPRESSED_LEN 50000000
41 /*
42  * Return uncompressed file length
43  * in little-endian order
44  */
45 uint32_t FileGetSwfDecompressedLen(const uint8_t *buffer,
46  const uint32_t buffer_len)
47 {
48  if (buffer_len < 8) {
49  return 0;
50  }
51 
52  uint32_t a = buffer[4];
53  uint32_t b = buffer[5];
54  uint32_t c = buffer[6];
55  uint32_t d = buffer[7];
56 
57  uint32_t value = (((a & 0xff) << 24UL) |
58  ((b & 0xff) << 16UL) |
59  ((c & 0xff) << 8UL) |
60  (d & 0xff));
61 
62  uint32_t len = (((value >> 24) & 0x000000FFUL) |
63  ((value >> 8) & 0x0000FF00UL) |
64  ((value << 8) & 0x00FF0000UL) |
65  ((value << 24) & 0xFF000000UL));
66 
68 }
69 
70 uint8_t FileGetSwfVersion(const uint8_t *buffer, const uint32_t buffer_len)
71 {
72  if (buffer_len > 3)
73  return buffer[3];
74 
75  return 0;
76 }
77 
78 /* CWS format */
79 /*
80  * | 4 bytes | 4 bytes | n bytes |
81  * | 'CWS' + version | script len | compressed data |
82  */
84  uint8_t *compressed_data, uint32_t compressed_data_len,
85  uint8_t *decompressed_data, uint32_t decompressed_data_len)
86 {
87  int ret = 1;
88  z_stream infstream;
89  memset(&infstream, 0, sizeof(infstream));
90  infstream.zalloc = Z_NULL;
91  infstream.zfree = Z_NULL;
92  infstream.opaque = Z_NULL;
93 
94  infstream.avail_in = (uInt)compressed_data_len;
95  infstream.next_in = (Bytef *)compressed_data;
96  infstream.avail_out = (uInt)decompressed_data_len;
97  infstream.next_out = (Bytef *)decompressed_data;
98 
99  int result = inflateInit(&infstream);
100  if (result != Z_OK) {
102  return 0;
103  }
104 
105  result = inflate(&infstream, Z_NO_FLUSH);
106  switch(result) {
107  case Z_STREAM_END:
108  break;
109  case Z_OK:
110  break;
111  case Z_DATA_ERROR:
113  ret = 0;
114  break;
115  case Z_STREAM_ERROR:
117  ret = 0;
118  break;
119  case Z_BUF_ERROR:
121  ret = 0;
122  break;
123  default:
125  ret = 0;
126  break;
127  }
128  inflateEnd(&infstream);
129 
130  return ret;
131 }
132 
133 /* ZWS format */
134 /*
135  * | 4 bytes | 4 bytes | 4 bytes | 5 bytes | n bytes | 6 bytes |
136  * | 'ZWS' + version | script len | compressed len | LZMA props | LZMA data | LZMA end marker |
137  */
139  uint8_t *compressed_data, uint32_t compressed_data_len,
140  uint8_t *decompressed_data, uint32_t decompressed_data_len)
141 {
142  int ret = 0;
143 
144  size_t inprocessed = compressed_data_len;
145  size_t outprocessed = decompressed_data_len;
146 
147  ret = lzma_decompress(compressed_data, &inprocessed, decompressed_data, &outprocessed,
149 
150  switch(ret) {
151  case LzmaOk:
152  ret = 1;
153  break;
154  case LzmaIoError:
156  ret = 0;
157  break;
158  case LzmaHeaderTooShortError:
160  ret = 0;
161  break;
162  case LzmaError:
164  ret = 0;
165  break;
166  case LzmaMemoryError:
168  ret = 0;
169  break;
170  case LzmaXzError:
171  /* We should not see XZ compressed SWF files */
172  DEBUG_VALIDATE_BUG_ON(ret == LzmaXzError);
174  ret = 0;
175  break;
176  default:
178  ret = 0;
179  break;
180  }
181 
182  return ret;
183 }
MAX_SWF_DECOMPRESSED_LEN
#define MAX_SWF_DECOMPRESSED_LEN
Definition: util-file-swf-decompression.c:40
len
uint8_t len
Definition: app-layer-dnp3.h:2
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
@ FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR
Definition: detect.h:1330
FILE_DECODER_EVENT_LZMA_DECODER_ERROR
@ FILE_DECODER_EVENT_LZMA_DECODER_ERROR
Definition: detect.h:1327
FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
@ FILE_DECODER_EVENT_Z_UNKNOWN_ERROR
Definition: detect.h:1324
rust.h
DetectEngineSetEvent
void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
Definition: detect-engine.c:4991
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
FILE_DECODER_EVENT_LZMA_XZ_ERROR
@ FILE_DECODER_EVENT_LZMA_XZ_ERROR
Definition: detect.h:1329
FileGetSwfVersion
uint8_t FileGetSwfVersion(const uint8_t *buffer, const uint32_t buffer_len)
Definition: util-file-swf-decompression.c:70
FileSwfLzmaDecompression
int FileSwfLzmaDecompression(DetectEngineThreadCtx *det_ctx, uint8_t *compressed_data, uint32_t compressed_data_len, uint8_t *decompressed_data, uint32_t decompressed_data_len)
Definition: util-file-swf-decompression.c:138
app-layer-htp.h
DetectEngineThreadCtx_
Definition: detect.h:1098
util-print.h
FILE_DECODER_EVENT_Z_STREAM_ERROR
@ FILE_DECODER_EVENT_Z_STREAM_ERROR
Definition: detect.h:1322
FILE_DECODER_EVENT_LZMA_IO_ERROR
@ FILE_DECODER_EVENT_LZMA_IO_ERROR
Definition: detect.h:1325
FILE_DECODER_EVENT_Z_BUF_ERROR
@ FILE_DECODER_EVENT_Z_BUF_ERROR
Definition: detect.h:1323
FileSwfZlibDecompression
int FileSwfZlibDecompression(DetectEngineThreadCtx *det_ctx, uint8_t *compressed_data, uint32_t compressed_data_len, uint8_t *decompressed_data, uint32_t decompressed_data_len)
Definition: util-file-swf-decompression.c:83
suricata-common.h
util-validate.h
util-file-swf-decompression.h
FILE_DECODER_EVENT_Z_DATA_ERROR
@ FILE_DECODER_EVENT_Z_DATA_ERROR
Definition: detect.h:1321
util-file-decompression.h
suricata.h
FileGetSwfDecompressedLen
uint32_t FileGetSwfDecompressedLen(const uint8_t *buffer, const uint32_t buffer_len)
Definition: util-file-swf-decompression.c:45
util-misc.h
FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR
@ FILE_DECODER_EVENT_LZMA_HEADER_TOO_SHORT_ERROR
Definition: detect.h:1326
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
@ FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR
Definition: detect.h:1328