Bugfixes - TLS and QUIC parsers

Author: Zainullin Damir

src/plugins/process/common/tlsParser/extensionReaders/extensionReader.hpp

@@ -9,7 +9,6 @@
 
 #include "../tlsExtension.hpp"
 
-#include <iostream>
 #include <optional>
 #include <ranges>
 #include <span>
@@ -31,7 +30,7 @@ class ExtensionReader : public RangeReader {
 public:
 	auto getRange(std::span<const std::byte> payload) noexcept
 	{
-		return Generator([&]() -> std::optional<TLSExtension> {
+		return Generator([payload, this]() mutable -> std::optional<TLSExtension> {
 			if (payload.empty()) {
 				setSuccess();
 				return std::nullopt;
@@ -42,7 +41,6 @@ class ExtensionReader : public RangeReader {
 
 			const auto type = static_cast<TLSExtensionType>(
 				ntohs(*reinterpret_cast<const uint16_t*>(payload.data())));
-			std::cout << "Extension type raw: " << std::hex << static_cast<uint16_t>(type) << "\n";
 			const uint16_t length
 				= ntohs(*reinterpret_cast<const uint16_t*>(payload.data() + sizeof(type)));
 			if (length > payload.size()) {

src/plugins/process/common/tlsParser/extensionReaders/userAgentReader.hpp

@@ -42,6 +42,7 @@ struct UserAgentReader : public RangeReader {
 				setSuccess();
 				return std::nullopt;
 			}
+
 			const std::optional<quic::VariableLengthInt> id
 				= quic::readQUICVariableLengthInt(userAgentExtension);
 			if (!id.has_value()) {
@@ -64,7 +65,7 @@ struct UserAgentReader : public RangeReader {
 				= reinterpret_cast<const char*>(userAgentExtension.data() + userAgentOffset);
 
 			userAgentExtension
-				= userAgentExtension.subspan(userAgentOffset + userAgentLength->length);
+				= userAgentExtension.subspan(userAgentOffset + userAgentLength->value);
 
 			return UserAgent {id->value, {userAgent, userAgentLength->value}};
 		});

src/plugins/process/common/tlsParser/tlsParser.cpp

@@ -12,6 +12,7 @@
 #include "tlsParser.hpp"
 
 #include "extensionReaders/extensionReader.hpp"
+#include "extensionReaders/serverNameReader.hpp"
 #include "extensionReaders/userAgentReader.hpp"
 #include "tlsHandshake.hpp"
 #include "tlsHeader.hpp"
@@ -84,11 +85,11 @@ parseHeader(std::span<const std::byte> payload, const bool isQUIC) noexcept
 	if (isQUIC) {
 		return 0;
 	}
-	const auto* tlsHeader = reinterpret_cast<const TLSHeader*>(payload.data());
 
 	if (sizeof(TLSHeader) > payload.size()) {
 		return std::nullopt;
 	}
+	const auto* tlsHeader = reinterpret_cast<const TLSHeader*>(payload.data());
 
 	if (tlsHeader->type != TLSHeader::Type::HANDSHAKE) {
 		return std::nullopt;
@@ -103,6 +104,10 @@ parseHeader(std::span<const std::byte> payload, const bool isQUIC) noexcept
 
 bool TLSParser::parseExtensions(const std::function<bool(const TLSExtension&)>& callable) noexcept
 {
+	if (!m_extensions.has_value()) {
+		return false;
+	}
+
 	ExtensionReader reader;
 	return std::ranges::all_of(reader.getRange(*m_extensions), callable)
 		&& reader.parsedSuccessfully();
@@ -152,15 +157,26 @@ static std::optional<TLSHandshake> parseHandshake(std::span<const std::byte> pay
 	return *handshake;
 }
 
-constexpr static std::optional<TLSParser::CipherSuites>
-parseClientCipherSuites(std::span<const std::byte> payload) noexcept
+struct ParsedCipherSuitesSection {
+	TLSParser::CipherSuites cipherSuites;
+	std::size_t sectionLength;
+};
+
+constexpr static std::optional<ParsedCipherSuitesSection> parseClientCipherSuites(
+	std::span<const std::byte> payload,
+	const TLSHandshake::Type handshakeType) noexcept
 {
-	auto res = std::make_optional<TLSParser::CipherSuites>();
+	auto res = std::make_optional<ParsedCipherSuitesSection>();
 
 	if (payload.size() < sizeof(uint16_t)) {
 		return std::nullopt;
 	}
 
+	if (handshakeType == TLSHandshake::Type::SERVER_HELLO) {
+		res->sectionLength = sizeof(uint16_t);
+		return res;
+	}
+
 	const uint16_t clientCipherSuitesLength
 		= ntohs(*reinterpret_cast<const uint16_t*>(payload.data()));
 	if (sizeof(clientCipherSuitesLength) + clientCipherSuitesLength > payload.size()) {
@@ -173,8 +189,10 @@ parseClientCipherSuites(std::span<const std::byte> payload) noexcept
 			clientCipherSuitesLength / sizeof(uint16_t))
 			| std::views::transform(ntohs)
 			| std::views::filter(std::not_fn(TLSParser::isGreaseValue))
-			| std::views::take(res->capacity()),
-		std::back_inserter(*res));
+			| std::views::take(res->cipherSuites.capacity()),
+		std::back_inserter(res->cipherSuites));
+
+	res->sectionLength = sizeof(clientCipherSuitesLength) + clientCipherSuitesLength;
 
 	return res;
 }
@@ -195,22 +213,26 @@ bool TLSParser::parse(std::span<const std::byte> payload, const bool isQUIC) noe
 	constexpr std::size_t randomBytesLength = 32;
 	const std::size_t sessionIdLengthOffset
 		= handshakeOffset + sizeof(TLSHandshake) + randomBytesLength;
+	if (payload.size() < sessionIdLengthOffset) {
+		return false;
+	}
+
 	const std::optional<uint8_t> sessionIdSectionLength
 		= getSessionIdSectionLength(payload.subspan(sessionIdLengthOffset));
 	if (!sessionIdSectionLength) {
 		return false;
 	}
 
 	const std::size_t cipherSuitesOffset = sessionIdLengthOffset + *sessionIdSectionLength;
-	if (handshake->type == TLSHandshake::Type::CLIENT_HELLO) {
-		cipherSuites = parseClientCipherSuites(payload.subspan(cipherSuitesOffset));
-		if (!cipherSuites.has_value()) {
-			return false;
-		}
+	const std::optional<ParsedCipherSuitesSection> parsedCipherSuitesSection
+		= parseClientCipherSuites(payload.subspan(cipherSuitesOffset), handshake->type);
+	if (!parsedCipherSuitesSection.has_value()) {
+		return false;
 	}
+	cipherSuites = parsedCipherSuitesSection->cipherSuites;
 
-	const std::size_t compressionMethodsOffset = cipherSuitesOffset + sizeof(uint16_t)
-		+ (cipherSuites.has_value() ? cipherSuites->size() * sizeof(uint16_t) : 0);
+	const std::size_t compressionMethodsOffset
+		= cipherSuitesOffset + parsedCipherSuitesSection->sectionLength;
 	const std::optional<std::size_t> compressionMethodsLength
 		= getCompressionMethodsLength(payload.subspan(compressionMethodsOffset), *handshake);
 	if (!compressionMethodsLength.has_value()) {
@@ -241,7 +263,7 @@ TLSParser::parseServerNames(std::span<const std::byte> extension) noexcept
 		return std::nullopt;
 	}
 
-	PrefixedLengthStringReader<uint16_t> reader;
+	ServerNameReader reader;
 	std::ranges::copy(
 		reader.getRange(extension.subspan(sizeof(servernameListLength), servernameListLength))
 			| std::views::take(res->capacity()),
@@ -259,10 +281,13 @@ TLSParser::parseUserAgent(std::span<const std::byte> extension) noexcept
 	auto res = std::make_optional<UserAgents>();
 
 	UserAgentReader reader;
+
+	constexpr static std::size_t GOOGLE_USER_AGENT_ID = 12585;
 	std::ranges::copy(
-		reader.getRange(extension) | std::views::transform([](const UserAgent& userAgent) {
-			return userAgent.value;
-		}) | std::views::take(res->capacity()),
+		reader.getRange(extension) | std::views::filter([](const UserAgent& userAgent) {
+			return userAgent.id == GOOGLE_USER_AGENT_ID;
+		}) | std::views::transform([](const UserAgent& userAgent) { return userAgent.value; })
+			| std::views::take(res->capacity()),
 		std::back_inserter(*res));
 	if (!reader.parsedSuccessfully()) {
 		return std::nullopt;
@@ -386,7 +411,8 @@ std::optional<TLSParser::SupportedVersions> TLSParser::parseSupportedVersions(
 		toSpan<const uint16_t>(
 			extension.data() + sizeof(versionsLength),
 			versionsLength / sizeof(uint16_t))
-			| std::views::transform(std::not_fn(isGreaseValue)),
+			| std::views::filter(std::not_fn(isGreaseValue)) | std::views::transform(ntohs)
+			| std::views::take(res->capacity()),
 		std::back_inserter(*res));
 
 	return res;

src/plugins/process/quic/src/quicInitialHeaderView.cpp

@@ -276,6 +276,10 @@ encryptSample(const QUICInitialSecrets& initialSecrets, std::span<const std::byt
 		return std::nullopt;
 	}
 
+	if (updateLength + finalLength > plaintext.size()) {
+		return std::nullopt;
+	}
+
 	return toSpan<const std::byte>(plaintext.data(), updateLength + finalLength);
 }
 
@@ -321,6 +325,15 @@ static std::optional<QUICInitialHeaderView::DeobfuscatedHeader> decryptInitialHe
 	//	= payload.subspan(-primaryHeaderLength, payload.size() + primaryHeaderLength);
 	const std::byte deobfuscatedFormHeader = payload[0] ^ (mask[0] & std::byte {0x0f});
 	const uint8_t packetNumberLength = (static_cast<uint8_t>(deobfuscatedFormHeader) & 0x03) + 1;
+
+	if (encryptedPacketNumber + packetNumberLength - payload.data() > payload.size()) {
+		return std::nullopt;
+	}
+	if (encryptedPacketNumber + packetNumberLength - payload.data()
+		> deobfuscatedHeader->capacity()) {
+		return std::nullopt;
+	}
+
 	deobfuscatedHeader->insert(
 		deobfuscatedHeader->end(),
 		payload.data(),
@@ -688,8 +701,6 @@ reassembleCryptoFrames(std::span<const std::byte> decryptedPayload) noexcept
 bool QUICInitialHeaderView::parseTLSExtensions(TLSParser& parser) noexcept
 {
 	const bool extensionsParsed = parser.parseExtensions([&](const TLSExtension& extension) {
-		std::cout << "Parsing extension type: " << std::hex << static_cast<uint16_t>(extension.type)
-				  << "\n";
 		if (extension.type == TLSExtensionType::SERVER_NAME && !extension.payload.empty()) {
 			const std::optional<TLSParser::ServerNames> parsedServerNames
 				= parser.parseServerNames(extension.payload);
@@ -820,6 +831,9 @@ std::optional<QUICInitialHeaderView> QUICInitialHeaderView::createFrom(
 		return std::nullopt;
 	}
 	res->tokenLength = tokenLength->value;
+	if (tokenLength->length + tokenLength->value > payload.size()) {
+		return std::nullopt;
+	}
 
 	const std::optional<VariableLengthInt> restPayloadLength
 		= readQUICVariableLengthInt(payload.subspan(tokenLength->length + tokenLength->value));

src/plugins/process/quic/src/quicParser.cpp

@@ -135,7 +135,6 @@ bool QUICParser::parse(
 	for (std::optional<std::size_t> secondaryHeaderSize = std::nullopt;
 		 payload.size() >= MIN_PACKET_SIZE;
 		 payload = payload.subspan(*secondaryHeaderSize)) {
-		// TODO CHECK IF SUBSPAN NOT STARTS AFTER SPAN END
 		const std::optional<QUICHeaderView> headerView
 			= QUICHeaderView::createFrom(payload, l4Protocol);
 		if (!headerView.has_value()) {