diff options
author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-03-22 18:18:36 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-03-22 18:18:36 +0100 |
commit | ddb9aa0f95ba263361b9be2ba0a122ea1e001be9 (patch) | |
tree | 5191a6b9dda1c7633331c451ed2617cde0e04213 | |
parent | 530d0de4382ab4d70cfc1dedcf8cf2ac729dfddf (diff) |
TLS: fix parsing of certificate elements (#1910)
```
==1228==ERROR: AddressSanitizer: SEGV on unknown address 0x6040000bed05 (pc 0x00000056e148 bp 0x7ffcca534320 sp 0x7ffcca5330c0 T0)
==1228==The signal is caused by a WRITE memory access.
#0 0x56e148 in processCertificateElements ndpi/src/lib/protocols/tls.c:682:79
#1 0x56c60f in LLVMFuzzerTestOneInput ndpi/fuzz/fuzz_tls_certificate.c:43:3
#2 0x43de63 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#3 0x4295c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#4 0x42ee6c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
#5 0x4583a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#6 0x7f8c021c9082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
#7 0x41f78d in _start
```
Found by oss-fuzz.
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57317
-rw-r--r-- | src/lib/protocols/tls.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index c78f01876..d3873ab98 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -364,7 +364,8 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct struct ndpi_flow_struct *flow, u_int16_t p_offset, u_int16_t certificate_len) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - u_int16_t num_found = 0, i; + u_int16_t num_found = 0; + int32_t i; char buffer[64] = { '\0' }, rdnSeqBuf[2048]; u_int rdn_len = 0; |