TLS: fix stack-buffer-overflow error (#1567)

``` ==300852==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f108951f060 at pc 0x5641db0ee78c bp 0x7fff3b10b910 sp 0x7fff3b10b0d0 WRITE of size 116 at 0x7f108951f060 thread T0 #0 0x5641db0ee78b in __interceptor_strncpy (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x64e78b) (BuildId: 23cb34bbaf8ac11eb97563bbdc12e29ead9fb0fa) #1 0x5641db28efad in tlsCheckUncommonALPN /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1224:7 #2 0x5641db27ec76 in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1533:6 #3 0x5641db295677 in processTLSBlock /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:865:5 #4 0x5641db2935bb in ndpi_search_tls_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1024:2 #5 0x5641db28f692 in ndpi_search_tls_wrapper /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2446:5 #6 0x5641db1d87ce in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5150:6 #7 0x5641db1d91e4 in check_ndpi_tcp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5198:12 #8 0x5641db1d8e87 in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5217:12 #9 0x5641db1eb4a7 in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6076:15 #10 0x5641db140b45 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:29:5 #11 0x5641db14130b in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:101:17 #12 0x7f108bcab082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #13 0x5641db07f46d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x5df46d) (BuildId: 23cb34bbaf8ac11eb97563bbdc12e29ead9fb0fa) Address 0x7f108951f060 is located in stack of thread T0 at offset 96 in frame #0 0x5641db28ec4f in tlsCheckUncommonALPN /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1204 This frame has 1 object(s): [32, 96) 'str' (line 1218) <== Memory access at offset 96 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x64e78b) (BuildId: 23cb34bbaf8ac11eb97563bbdc12e29ead9fb0fa) in __interceptor_strncpy Shadow bytes around the buggy address: ``` Avoid zeroing the entire string. Found by oss-fuzzer See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47730
2026-05-06 12:15:22 +00:00 · 2022-05-31 10:33:42 +02:00 · 2022-05-31 10:33:42 +02:00 · 9040bc74c9
commit 9040bc74c9
parent 354addd693
1 changed files with 10 additions and 3 deletions
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@ -1205,7 +1205,7 @@ static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struc
  char * alpn_start = flow->protos.tls_quic.alpn;
  char * comma_or_nul = alpn_start;
  do {
-    int alpn_len;
+    size_t alpn_len;

    comma_or_nul = strchr(comma_or_nul, ',');

@ -1215,13 +1215,20 @@ static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struc
    alpn_len = comma_or_nul - alpn_start;

    if(!is_a_common_alpn(ndpi_struct, alpn_start, alpn_len)) {
-      char str[64] = { '\0' };
+      char str[64];
+      size_t str_len;
      
 #ifdef DEBUG_TLS
      printf("TLS uncommon ALPN found: %.*s\n", (int)alpn_len, alpn_start);
 #endif

-      strncpy(str, alpn_start, alpn_len);
+      str[0] = '\0';
+      str_len = ndpi_min(alpn_len, sizeof(str));
+      if(str_len > 0) {
+        strncpy(str, alpn_start, str_len);
+        str[str_len - 1] = '\0';
+      }
+
      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, str);
      break;
    }