diff options
author | Luca Deri <deri@ntop.org> | 2020-05-29 21:43:06 +0200 |
---|---|---|
committer | Luca Deri <deri@ntop.org> | 2020-05-29 21:43:06 +0200 |
commit | 61066fb106efa6d3d95b67e47b662de208b2b622 (patch) | |
tree | ee816ab90bca0620ccc2974a6b36de6cc31ee7b8 | |
parent | 4ceff1dc77bb75919f9394983529d89c604a700f (diff) |
Added check for heap buffer overflow read
-rw-r--r-- | src/lib/ndpi_main.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 7199f72eb..a062cdc8c 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4807,29 +4807,34 @@ u_int32_t ndpi_bytestream_to_ipv4(const u_int8_t *str, u_int16_t max_chars_to_re u_int16_t read = 0; u_int16_t oldread; u_int32_t c; + /* ip address must be X.X.X.X with each X between 0 and 255 */ oldread = read; c = ndpi_bytestream_to_number(str, max_chars_to_read, &read); if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.') return(0); + read++; val = c << 24; oldread = read; c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read); if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.') return(0); + read++; val = val + (c << 16); oldread = read; c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read); if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.') return(0); + read++; val = val + (c << 8); oldread = read; c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read); if(c > 255 || oldread == read || max_chars_to_read == read) return(0); + val = val + c; *bytes_read = *bytes_read + read; @@ -4869,9 +4874,10 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, int diff; /* No unsigned ! */ u_int32_t a1 = a + 4; - diff = ndpi_min(packet->payload_packet_len-a1, sizeof(flow->initial_binary_bytes)); + diff = packet->payload_packet_len - a1; if(diff > 0) { + diff = ndpi_min(diff, sizeof(flow->initial_binary_bytes)); memcpy(&flow->initial_binary_bytes, &packet->payload[a1], diff); flow->initial_binary_bytes_len = diff; } |