diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-02-01 20:30:43 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-01 20:30:43 +0100 |
| commit | 13212711ab85bb9e5b3dfdb51b8a0ba0b6b3fa32 (patch) | |
| tree | b47cbd64a30765041466144e3ec6a0b4cb18133d | |
| parent | 8fbef7fb5ab682b7aa9c92e4fd6e106698eb4ae1 (diff) | |
CIP: fix infinite-loop (#2295)
Found by oss-fuzzer
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66342
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66320
| -rw-r--r-- | src/lib/protocols/cip.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/lib/protocols/cip.c b/src/lib/protocols/cip.c index 65dbb9a24..f9412b809 100644 --- a/src/lib/protocols/cip.c +++ b/src/lib/protocols/cip.c @@ -43,11 +43,12 @@ static void ndpi_search_cip(struct ndpi_detection_module_struct *ndpi_struct, ) { u_int8_t num_items = packet->payload[0], offset = 2; - while((num_items > 0) && (packet->payload_packet_len > (offset + 4))) { + while((num_items > 0) && (packet->payload_packet_len > ((u_int32_t)offset + 4))) { // u_int16_t type_id = *((u_int16_t*)&packet->payload[offset]); u_int16_t lenght = (packet->payload[offset+3] << 8) + packet->payload[offset+2]; offset += 4 + lenght; + num_items--; } if(offset == packet->payload_packet_len) { |