aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuca Deri <deri@ntop.org>2020-05-29 21:43:06 +0200
committerLuca Deri <deri@ntop.org>2020-05-29 21:43:06 +0200
commit61066fb106efa6d3d95b67e47b662de208b2b622 (patch)
treeee816ab90bca0620ccc2974a6b36de6cc31ee7b8
parent4ceff1dc77bb75919f9394983529d89c604a700f (diff)
Added check for heap buffer overflow read
-rw-r--r--src/lib/ndpi_main.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 7199f72eb..a062cdc8c 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4807,29 +4807,34 @@ u_int32_t ndpi_bytestream_to_ipv4(const u_int8_t *str, u_int16_t max_chars_to_re
u_int16_t read = 0;
u_int16_t oldread;
u_int32_t c;
+
/* ip address must be X.X.X.X with each X between 0 and 255 */
oldread = read;
c = ndpi_bytestream_to_number(str, max_chars_to_read, &read);
if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.')
return(0);
+
read++;
val = c << 24;
oldread = read;
c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read);
if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.')
return(0);
+
read++;
val = val + (c << 16);
oldread = read;
c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read);
if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.')
return(0);
+
read++;
val = val + (c << 8);
oldread = read;
c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read);
if(c > 255 || oldread == read || max_chars_to_read == read)
return(0);
+
val = val + c;
*bytes_read = *bytes_read + read;
@@ -4869,9 +4874,10 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str,
int diff; /* No unsigned ! */
u_int32_t a1 = a + 4;
- diff = ndpi_min(packet->payload_packet_len-a1, sizeof(flow->initial_binary_bytes));
+ diff = packet->payload_packet_len - a1;
if(diff > 0) {
+ diff = ndpi_min(diff, sizeof(flow->initial_binary_bytes));
memcpy(&flow->initial_binary_bytes, &packet->payload[a1], diff);
flow->initial_binary_bytes_len = diff;
}