aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNardi Ivan <nardi.ivan@gmail.com>2022-08-24 20:31:33 +0200
committerToni <matzeton@googlemail.com>2022-08-25 06:44:38 +0200
commita329730d24bc99a77a8e49334ac146fdaf50fb65 (patch)
tree192a084259954dfe992966f1ca613527f73093d1
parent8bfb1712d8b69c1faf2d9e23e741659c06f4a7df (diff)
QUIC: fix heap-buffer-overflow
``` ==12318==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000032 at pc 0x55a59ec97959 bp 0x7fffee67fdd0 sp 0x7fffee67fdc8 READ of size 1 at 0x604000000032 thread T0 #0 0x55a59ec97958 in may_be_0rtt /home/ivan/svnrepos/nDPI/src/lib/protocols/quic.c:1483:24 #1 0x55a59ec9515f in ndpi_search_quic /home/ivan/svnrepos/nDPI/src/lib/protocols/quic.c:1708:13 #2 0x55a59ec32e95 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5428:6 #3 0x55a59ec33c5b in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5464:10 #4 0x55a59ec335fc in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5497:12 #5 0x55a59ec44615 in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6322:15 #6 0x55a59eb8884e in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:29:5 #7 0x55a59eb889c7 in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:101:17 #8 0x7fb5b3ba2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #9 0x55a59eac742d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x47d42d) (BuildId: 712c87b21cf5c05f64174745909c693d3ba0b62e) 0x604000000032 is located 0 bytes to the right of 34-byte region [0x604000000010,0x604000000032) allocated by thread T0 here: #0 0x55a59eb4bfee in malloc (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x501fee) (BuildId: 712c87b21cf5c05f64174745909c693d3ba0b62e) #1 0x55a59eb8899c in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:87:17 ``` Found by CI tests. See: https://github.com/ntop/nDPI/runs/7996151458?check_suite_focus=true
Diffstat
-rw-r--r--src/lib/protocols/quic.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index 79fd5a823..af43bf7e5 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -1476,12 +1476,12 @@ static int may_be_0rtt(struct ndpi_detection_module_struct *ndpi_struct,
/* Check that CIDs lengths are valid */
dest_conn_id_len = packet->payload[5];
- if(packet->payload_packet_len < 5 + 1 + dest_conn_id_len) {
+ if(packet->payload_packet_len <= 5 + 1 + dest_conn_id_len) {
NDPI_LOG_DBG2(ndpi_struct, "Dcid too short\n");
return 0;
}
source_conn_id_len = packet->payload[5 + 1 + dest_conn_id_len];
- if(packet->payload_packet_len < 5 + 1 + dest_conn_id_len + 1 + source_conn_id_len) {
+ if(packet->payload_packet_len <= 5 + 1 + dest_conn_id_len + 1 + source_conn_id_len) {
NDPI_LOG_DBG2(ndpi_struct, "Scid too short\n");
return 0;
}
Powered by cgit, Themed by Ted Yin.