TLS, H323, examples: fix some memory errors (#1414)

Detected by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26880
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26906
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43782
https://oss-fuzz.com/testcase-detail/6334089358082048

3 files changed, 10 insertions, 6 deletions

diff --git a/example/reader_util.c b/example/reader_util.c
index 7ca602141..136bef914 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1006,6 +1006,8 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo
                                                   pkt_timeval when) {
   struct ndpi_iphdr iph;
 
+  if(ipsize < 40)
+    return(NULL);
   memset(&iph, 0, sizeof(iph));
   iph.version = IPVERSION;
   iph.saddr = iph6->ip6_src.u6_addr.u6_addr32[2] + iph6->ip6_src.u6_addr.u6_addr32[3];
@@ -1729,7 +1731,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
     /* Cisco PPP in HDLC-like framing - 50 */
   case DLT_PPP_SERIAL:
     chdlc = (struct ndpi_chdlc *) &packet[eth_offset];
-    ip_offset = sizeof(struct ndpi_chdlc); /* CHDLC_OFF = 4 */
+    ip_offset = eth_offset + sizeof(struct ndpi_chdlc); /* CHDLC_OFF = 4 */
     type = ntohs(chdlc->proto_code);
     break;
 
@@ -1738,10 +1740,10 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
   case DLT_PPP:
     if(packet[0] == 0x0f || packet[0] == 0x8f) {
       chdlc = (struct ndpi_chdlc *) &packet[eth_offset];
-      ip_offset = sizeof(struct ndpi_chdlc); /* CHDLC_OFF = 4 */
+      ip_offset = eth_offset + sizeof(struct ndpi_chdlc); /* CHDLC_OFF = 4 */
       type = ntohs(chdlc->proto_code);
     } else {
-      ip_offset = 2;
+      ip_offset = eth_offset + 2;
       type = ntohs(*((u_int16_t*)&packet[eth_offset]));
     }
     break;
@@ -1847,13 +1849,15 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
   /* check ether type */
   switch(type) {
   case ETH_P_VLAN:
+    if(ip_offset+4 >= (int)header->caplen)
+      return(nproto);
     vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF;
     type = (packet[ip_offset+2] << 8) + packet[ip_offset+3];
     ip_offset += 4;
     vlan_packet = 1;
 
     // double tagging for 802.1Q
-    while((type == 0x8100) && (((bpf_u_int32)ip_offset) < header->caplen)) {
+    while((type == 0x8100) && (((bpf_u_int32)ip_offset+4) < header->caplen)) {
       vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF;
       type = (packet[ip_offset+2] << 8) + packet[ip_offset+3];
       ip_offset += 4;
diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c
index 7774b9d0a..c52ddb0f6 100644
--- a/src/lib/protocols/h323.c
+++ b/src/lib/protocols/h323.c
@@ -46,7 +46,7 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n
     NDPI_LOG_DBG2(ndpi_struct, "calculated dport over tcp\n");
 
     /* H323  */
-    if(packet->payload_packet_len > 4
+    if(packet->payload_packet_len > 5
        && (packet->payload[0] == 0x03)
        && (packet->payload[1] == 0x00)) {
       struct tpkt *t = (struct tpkt*)packet->payload;
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index fe28b8250..600346b83 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -2145,11 +2145,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 			    int rc = sprintf(&flow->protos.tls_quic.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF);
 
 			    if(rc <= 0) {
-			      flow->protos.tls_quic.encrypted_sni.esni[off] = '\0';
 			      break;
 			    } else
 			      off += rc;
 			  }
+			  flow->protos.tls_quic.encrypted_sni.esni[off] = '\0';
 			}
 		      }
 		    }