diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-07-15 22:23:52 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-07-15 22:23:52 +0200 |
| commit | 5267858b3d09fbc6a70c4bdcabdd176ea26ee72c (patch) | |
| tree | 6c967dccb7cf4bc5ed94b0bce44c5e21fbe40278 | |
| parent | 2bbde5bad3ca309141df7522da1b20bb0a506ec2 (diff) | |
HTTP: fix another memory access error (#2049)
```
=================================================================
==199079==ERROR: AddressSanitizer: negative-size-param: (size=-1)
#0 0x559a2a6efd4f in strncpy (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader+0x94ad4f) (BuildId: 34aaabba403c6bc5482553ef355360fd2762a157)
#1 0x559a2a9890f0 in ndpi_http_check_content /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:300:8
#2 0x559a2a9812c0 in check_content_type_and_change_protocol /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:910:46
#3 0x559a2a978fee in process_response /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1289:3
#4 0x559a2a97622f in ndpi_check_http_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1382:9
#5 0x559a2a975d95 in ndpi_search_http_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1468:3
#6 0x559a2a864970 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5948:4
#7 0x559a2a8660df in check_ndpi_tcp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6013:12
#8 0x559a2a865d7f in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6032:12
#9 0x559a2a876fd6 in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7038:15
#10 0x559a2a87311f in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7205:22
#11 0x559a2a77381e in packet_processing /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:1710:31
#12 0x559a2a77381e in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:2427:10
[...]
```
Found by oss-fuzz
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60605
| -rw-r--r-- | src/lib/protocols/http.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 6951dd85c..271409057 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -295,10 +295,12 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo if(packet->content_disposition_line.ptr[attachment_len] == '\"') { if(packet->content_disposition_line.ptr[packet->content_disposition_line.len-1] != '\"') { //case: filename="file_name - flow->http.filename = ndpi_malloc(filename_len); - if(flow->http.filename != NULL) { - strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-1); - flow->http.filename[filename_len-1] = '\0'; + if(filename_len >= 2) { + flow->http.filename = ndpi_malloc(filename_len); + if(flow->http.filename != NULL) { + strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-1); + flow->http.filename[filename_len-1] = '\0'; + } } } else if(filename_len >= 2) { |