Merge pull request #846 from catenacyber/fuzzofix

Fix various buffer over reads
2026-05-06 03:45:32 +00:00 · 2020-02-19 22:55:18 +01:00 · 2020-02-19 22:55:18 +01:00 · 080e23e30e
commit 080e23e30e
parent edce5a8c1f ee979ac14a
4 changed files with 13 additions and 3 deletions
--- a/example/reader_util.c
+++ b/example/reader_util.c
@ -1476,10 +1476,11 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
  datalink_type = (int)pcap_datalink(workflow->pcap_handle);
 #endif

-  if(header->caplen < 40)
-    return(nproto); /* Too short */

 datalink_check:
+  if(header->caplen < eth_offset + 40)
+    return(nproto); /* Too short */
+
  switch(datalink_type) {
  case DLT_NULL:
    if(ntohl(*((u_int32_t*)&packet[eth_offset])) == 2)
@ -1680,6 +1681,8 @@ ether_type_check:
      return(nproto);
    }
  } else if(iph->version == 6) {
+    if (header->caplen < ip_offset + sizeof(struct ndpi_ipv6hdr))
+      return(nproto); /* Too short for IPv6 header*/
    iph6 = (struct ndpi_ipv6hdr *)&packet[ip_offset];
    proto = iph6->ip6_hdr.ip6_un1_nxt;
    ip_len = sizeof(struct ndpi_ipv6hdr);
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@ -3846,6 +3846,10 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
 	if(flow->http.url)                  { ndpi_free(flow->http.url); flow->http.url = NULL; }
 	if(flow->http.content_type)         { ndpi_free(flow->http.content_type); flow->http.content_type = NULL; }
 	if(flow->http.user_agent)           { ndpi_free(flow->http.user_agent); flow->http.user_agent = NULL; }
+	if(flow->kerberos_buf.pktbuf) {
+		ndpi_free(flow->kerberos_buf.pktbuf);
+		flow->kerberos_buf.pktbuf = NULL;
+	}
 	if(flow->l4.tcp.tls.message.buffer) {
 	    ndpi_free(flow->l4.tcp.tls.message.buffer);
 	    flow->l4.tcp.tls.message.buffer = NULL;
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@ -168,6 +168,9 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
 	  } else
 	    x += data_len;

+	  if((x+2) >= flow->packet.payload_packet_len) {
+	    break;
+	  }
 	  rsp_type = get16(&x, flow->packet.payload);
 	  flow->protos.dns.rsp_type = rsp_type;

--- a/src/lib/protocols/oscar.c
+++ b/src/lib/protocols/oscar.c
@ -137,7 +137,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct
 	 + TLVs         | [Class: FLAP__SIGNON_TAGS] TLVs   +
 	 +--------------------------------------------------+
      */
-      if(channel == SIGNON &&
+      if(channel == SIGNON && packet->payload_packet_len >= 10 &&
 	  get_u_int16_t(packet->payload, 4) == htons(packet->payload_packet_len - 6) &&
 	  get_u_int32_t(packet->payload, 6) == htonl(FLAPVERSION))
 	{