diff options
| author | Luca Deri <lucaderi@users.noreply.github.com> | 2020-03-31 17:51:20 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-03-31 17:51:20 +0200 |
| commit | 56ca71bda9870e78ba0ee70fe226c4a4fcc36a04 (patch) | |
| tree | a523d39c9ee5faa35067fc8a4122ba2b6f51883c | |
| parent | 17d531e3db61326f286c7d0d543f4ea5b00bc796 (diff) | |
| parent | 498571354d2c22c192bb80bc79058b70d455b363 (diff) | |
Merge pull request #863 from IvanNardi/memory-errors
Memory errors
| -rw-r--r-- | src/lib/protocols/ciscovpn.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/h323.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/kerberos.c | 13 | ||||
| -rw-r--r-- | src/lib/protocols/openvpn.c | 21 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/soulseek.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/telnet.c | 85 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 2 |
9 files changed, 74 insertions, 59 deletions
diff --git a/src/lib/protocols/ciscovpn.c b/src/lib/protocols/ciscovpn.c index 4a73e5728..eee7c4eb8 100644 --- a/src/lib/protocols/ciscovpn.c +++ b/src/lib/protocols/ciscovpn.c @@ -36,6 +36,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru if((tdport == 10000 && tsport == 10000) || ((tsport == 443 || tdport == 443) && + (packet->payload_packet_len >= 4) && (packet->payload[0] == 0x17 && packet->payload[1] == 0x01 && packet->payload[2] == 0x00 && @@ -51,6 +52,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru } else if(((tsport == 443 || tdport == 443) || (tsport == 80 || tdport == 80)) && + (packet->payload_packet_len >= 5) && ((packet->payload[0] == 0x17 && packet->payload[1] == 0x03 && packet->payload[2] == 0x03 && @@ -64,6 +66,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru } else if(((tsport == 8009 || tdport == 8009) || (tsport == 8008 || tdport == 8008)) && + (packet->payload_packet_len >= 5) && ((packet->payload[0] == 0x17 && packet->payload[1] == 0x03 && packet->payload[2] == 0x03 && @@ -79,6 +82,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru ( (usport == 10000 && udport == 10000) && + (packet->payload_packet_len >= 4) && (packet->payload[0] == 0xfe && packet->payload[1] == 0x57 && packet->payload[2] == 0x7e && diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c index d407c981b..70e5a33c0 100644 --- a/src/lib/protocols/h323.c +++ b/src/lib/protocols/h323.c @@ -29,7 +29,7 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n NDPI_LOG_DBG2(ndpi_struct, "calculated dport over tcp\n"); /* H323 */ - if(packet->payload_packet_len >= 3 + if(packet->payload_packet_len >= 4 && (packet->payload[0] == 0x03) && (packet->payload[1] == 0x00)) { struct tpkt *t = (struct tpkt*)packet->payload; diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index 2bacbf510..2aa73dd39 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -45,6 +45,8 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &flow->packet; u_int16_t sport = packet->tcp ? ntohs(packet->tcp->source) : ntohs(packet->udp->source); u_int16_t dport = packet->tcp ? ntohs(packet->tcp->dest) : ntohs(packet->udp->dest); + const u_int8_t *original_packet_payload = NULL; + u_int16_t original_payload_packet_len = 0; if((sport != KERBEROS_PORT) && (dport != KERBEROS_PORT)) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); @@ -65,6 +67,8 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, flow->kerberos_buf.pktbuf_currlen += packet->payload_packet_len; if(flow->kerberos_buf.pktbuf_currlen == flow->kerberos_buf.pktbuf_maxlen) { + original_packet_payload = packet->payload; + original_payload_packet_len = packet->payload_packet_len; packet->payload = (u_int8_t *)flow->kerberos_buf.pktbuf; packet->payload_packet_len = flow->kerberos_buf.pktbuf_currlen; #ifdef KERBEROS_DEBUG @@ -319,8 +323,11 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, snprintf(flow->protos.kerberos.domain, sizeof(flow->protos.kerberos.domain), "%s", realm_str); /* If necessary we can decode sname */ - - if(flow->kerberos_buf.pktbuf) ndpi_free(flow->kerberos_buf.pktbuf); + if(flow->kerberos_buf.pktbuf) { + ndpi_free(flow->kerberos_buf.pktbuf); + packet->payload = original_packet_payload; + packet->payload_packet_len = original_payload_packet_len; + } flow->kerberos_buf.pktbuf = NULL; } } @@ -332,6 +339,8 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, /* We set the protocol in the response */ if(flow->kerberos_buf.pktbuf != NULL) { ndpi_free(flow->kerberos_buf.pktbuf); + packet->payload = original_packet_payload; + packet->payload_packet_len = original_payload_packet_len; flow->kerberos_buf.pktbuf = NULL; } diff --git a/src/lib/protocols/openvpn.c b/src/lib/protocols/openvpn.c index e18774fff..2753dd02e 100644 --- a/src/lib/protocols/openvpn.c +++ b/src/lib/protocols/openvpn.c @@ -120,19 +120,22 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct, if(hmac_size > 0) { alen = ovpn_payload[P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size)]; - session_remote = ovpn_payload + P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size) + 1 + alen * 4; - - if(memcmp(flow->ovpn_session_id, session_remote, 8) == 0) { - NDPI_LOG_INFO(ndpi_struct,"found openvpn\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN); - return; - } else { - NDPI_LOG_DBG2(ndpi_struct, + if (alen > 0) { + session_remote = ovpn_payload + P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size) + 1 + alen * 4; + + if(memcmp(flow->ovpn_session_id, session_remote, 8) == 0) { + NDPI_LOG_INFO(ndpi_struct,"found openvpn\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN); + return; + } else { + NDPI_LOG_DBG2(ndpi_struct, "key mismatch: %02x%02x%02x%02x%02x%02x%02x%02x\n", session_remote[0], session_remote[1], session_remote[2], session_remote[3], session_remote[4], session_remote[5], session_remote[6], session_remote[7]); + failed = 1; + } + } else failed = 1; - } } else failed = 1; } else diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 93f5d2cce..be746550b 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -110,7 +110,7 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_INFO(ndpi_struct, "found QUIC\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, NDPI_PROTOCOL_UNKNOWN); - if(packet->payload[quic_hlen+12] != 0xA0) + if((udp_len > quic_hlen + 12) && (packet->payload[quic_hlen+12] != 0xA0)) quic_hlen++; } diff --git a/src/lib/protocols/soulseek.c b/src/lib/protocols/soulseek.c index a08774bb8..042ead2b8 100644 --- a/src/lib/protocols/soulseek.c +++ b/src/lib/protocols/soulseek.c @@ -196,7 +196,7 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, && !get_u_int16_t(packet->payload, 2)) { const u_int32_t usrlen = get_l32(packet->payload, 5); - if(usrlen <= packet->payload_packet_len - 4 + 1 + 4 + 4 + 1 + 4) { + if(usrlen <= packet->payload_packet_len - (4 + 1 + 4 + 4 + 1 + 4)) { const u_int32_t typelen = get_l32(packet->payload, 4 + 1 + 4 + usrlen); const u_int8_t type = packet->payload[4 + 1 + 4 + usrlen + 4]; if(typelen == 1 && (type == 'F' || type == 'P' || type == 'D')) { diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 390d28042..853fbb24b 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -179,6 +179,8 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, offset += 4 + len; /* ssh.compression_algorithms_client_to_server [C] */ + if(offset+sizeof(u_int32_t) >= packet->payload_packet_len) + goto invalid_payload; len = ntohl(*(u_int32_t*)&packet->payload[offset]); if(client_hash) { diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index dfccd904e..8e688eca0 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -36,71 +36,68 @@ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + int i; #ifdef TELNET_DEBUG printf("==> %s() [%s][direction: %u]\n", __FUNCTION__, packet->payload, packet->packet_direction); #endif - if (packet->payload == NULL) + if (packet->payload == NULL || packet->payload_packet_len == 0) return(1); if(packet->payload[0] == 0xFF) return(1); - if(packet->payload_packet_len > 0) { - int i; - - if(flow->protos.telnet.username_detected) { - if((!flow->protos.telnet.password_found) - && (packet->payload_packet_len > 6)) { - - if(strncasecmp((char*)packet->payload, "password:", 9) == 0) { - flow->protos.telnet.password_found = 1; - } + if(flow->protos.telnet.username_detected) { + if((!flow->protos.telnet.password_found) + && (packet->payload_packet_len > 9)) { - return(1); + if(strncasecmp((char*)packet->payload, "password:", 9) == 0) { + flow->protos.telnet.password_found = 1; } + + return(1); + } - if(packet->payload[0] == '\r') { - if(!flow->protos.telnet.password_found) - return(1); + if(packet->payload[0] == '\r') { + if(!flow->protos.telnet.password_found) + return(1); - flow->protos.telnet.password_detected = 1; - flow->protos.telnet.password[flow->protos.telnet.character_id] = '\0'; - return(0); - } + flow->protos.telnet.password_detected = 1; + flow->protos.telnet.password[flow->protos.telnet.character_id] = '\0'; + return(0); + } - if(packet->packet_direction == 0) /* client -> server */ { - for(i=0; i<packet->payload_packet_len; i++) { - if(flow->protos.telnet.character_id < (sizeof(flow->protos.telnet.password)-1)) - flow->protos.telnet.password[flow->protos.telnet.character_id++] = packet->payload[i]; - } + if(packet->packet_direction == 0) /* client -> server */ { + for(i=0; i<packet->payload_packet_len; i++) { + if(flow->protos.telnet.character_id < (sizeof(flow->protos.telnet.password)-1)) + flow->protos.telnet.password[flow->protos.telnet.character_id++] = packet->payload[i]; } - - return(1); } - - if((!flow->protos.telnet.username_found) - && (packet->payload_packet_len > 6)) { - if(strncasecmp((char*)packet->payload, "login:", 6) == 0) { - flow->protos.telnet.username_found = 1; - } + return(1); + } - return(1); - } + if((!flow->protos.telnet.username_found) + && (packet->payload_packet_len > 6)) { - if(packet->payload[0] == '\r') { - flow->protos.telnet.username_detected = 1; - flow->protos.telnet.username[flow->protos.telnet.character_id] = '\0'; - flow->protos.telnet.character_id = 0; - return(1); + if(strncasecmp((char*)packet->payload, "login:", 6) == 0) { + flow->protos.telnet.username_found = 1; } - for(i=0; i<packet->payload_packet_len; i++) { - if(packet->packet_direction == 0) /* client -> server */ { - if(flow->protos.telnet.character_id < (sizeof(flow->protos.telnet.username)-1)) - flow->protos.telnet.username[flow->protos.telnet.character_id++] = packet->payload[i]; - } + return(1); + } + + if(packet->payload[0] == '\r') { + flow->protos.telnet.username_detected = 1; + flow->protos.telnet.username[flow->protos.telnet.character_id] = '\0'; + flow->protos.telnet.character_id = 0; + return(1); + } + + for(i=0; i<packet->payload_packet_len; i++) { + if(packet->packet_direction == 0) /* client -> server */ { + if(flow->protos.telnet.character_id < (sizeof(flow->protos.telnet.username)-1)) + flow->protos.telnet.username[flow->protos.telnet.character_id++] = packet->payload[i]; } } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index d32584b05..77d69a6fe 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -734,7 +734,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(total_len > 4) { u_int16_t base_offset = packet->tcp ? 38 : 46; u_int16_t version_offset = packet->tcp ? 4 : 12; - u_int16_t offset = 38, extension_len, j; + u_int16_t offset = packet->tcp ? 38 : 46, extension_len, j; u_int8_t session_id_len = 0; if (base_offset < total_len) session_id_len = packet->payload[base_offset]; |