vrr/nDPI
2
0
Fork 0
mirror of https://github.com/vel21ripn/nDPI.git synced 2026-05-03 17:30:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Fixed buffer overflows with safe str search

Browse source 
1. Detected a lot of memory errors using address sanitizer
and ndpi-scapy tool.

2. Added ndpi_match_prefix function that compares strings
with taking care of payload packet len. Almost drop-in
replacement for match_first_bytes function.

3. Replaced unsafe match_first_bytes usage with a ndpi_match_prefix
and additional length checks.
This commit is contained in:
theirix 2016-04-12 22:08:30 +03:00
parent 5a37ee9976
commit fb3fc0c6de
10 changed files with 309 additions and 279 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/lib/protocols/msn.c
View file

@ -130,7 +130,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct
if (get_u_int8_t(packet->payload, packet->payload_packet_len - 2) == 0x0d
&& get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x0a) {
/* The MSNP string is used in XBOX clients. */
if (memcmp(packet->payload, "VER ", 4) == 0) {
if (ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "VER ")) {
if (memcmp(&packet->payload[packet->payload_packet_len - 6], "CVR",
3) == 0 || memcmp(&packet->payload[packet->payload_packet_len - 8], "MSNP", 4) == 0) {
@ -139,7 +139,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct
ndpi_int_msn_add_connection(ndpi_struct, flow);
return;
}
if (memcmp(&packet->payload[4], "MSNFT", 5) == 0) {
if (ndpi_match_strprefix(&packet->payload[4], packet->payload_packet_len-4, "MSNFT")) {
NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
"found MSN FT by pattern VER MSNFT...0d0a.\n");
ndpi_int_msn_add_connection(ndpi_struct, flow);
@ -153,8 +153,8 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct
#ifdef NDPI_PROTOCOL_HTTP
packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP ||
#endif
memcmp(packet->payload, "GET ", NDPI_STATICSTRING_LEN("GET ")) == 0 ||
memcmp(packet->payload, "POST ", NDPI_STATICSTRING_LEN("POST ")) == 0) {
ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "GET ") ||
ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "POST ")) {
ndpi_parse_packet_line_info(ndpi_struct, flow);
if (packet->user_agent_line.ptr != NULL &&
packet->user_agent_line.len > NDPI_STATICSTRING_LEN("Messenger/") &&
@ -277,8 +277,8 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct
#ifdef NDPI_PROTOCOL_HTTP
packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP ||
#endif
(memcmp(packet->payload, "HTTP/1.0 200 OK", 15) == 0) ||
(memcmp(packet->payload, "HTTP/1.1 200 OK", 15) == 0)
ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "HTTP/1.0 200 OK") ||
ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "HTTP/1.1 200 OK")
) {
ndpi_parse_packet_line_info(ndpi_struct, flow);