Fix heap-overflow error in CAPWAP detunneling code

author: Nardi Ivan <nardi.ivan@gmail.com> 2020-04-24 10:42:52 +0200
committer: Nardi Ivan <nardi.ivan@gmail.com> 2020-04-24 10:42:52 +0200
commit: 097127c31d028bb8abae8d3aa8edcc367f17bfba (patch)
tree: 1714a629ca045024520f57e02456f1a4a5f3e650
parent: c2ebbb15add2a307458f32a47ea690150927e500 (diff)
1 files changed, 15 insertions, 11 deletions
diff --git a/example/reader_util.c b/example/reader_util.c
index eeddeab61..3c1af8397 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1810,22 +1810,26 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
 	/* We dissect ONLY CAPWAP traffic */
 	u_int offset           = ip_offset+ip_len+sizeof(struct ndpi_udphdr);
 
-	if((offset+40) < header->caplen) {
-	  u_int16_t msg_len = packet[offset+1] >> 1;
+	if((offset+1) < header->caplen) {
+	  uint8_t preamble = packet[offset];
 
-	  offset += msg_len;
+	  if((preamble & 0x0F) == 0) { /* CAPWAP header */
+	    u_int16_t msg_len = (packet[offset+1] & 0xF8) >> 1;
 
-	  if(packet[offset] == 0x02) {
-	    /* IEEE 802.11 Data */
+	    offset += msg_len;
 
-	    offset += 24;
-	    /* LLC header is 8 bytes */
-	    type = ntohs((u_int16_t)*((u_int16_t*)&packet[offset+6]));
+	    if((offset + 32 < header->caplen) && (packet[offset] == 0x02)) {
+	      /* IEEE 802.11 Data */
 
-	    ip_offset = offset + 8;
+	      offset += 24;
+	      /* LLC header is 8 bytes */
+	      type = ntohs((u_int16_t)*((u_int16_t*)&packet[offset+6]));
 
-	    tunnel_type = ndpi_capwap_tunnel;
-	    goto iph_check;
+	      ip_offset = offset + 8;
+
+	      tunnel_type = ndpi_capwap_tunnel;
+	      goto iph_check;
+	    }
 	  }
 	}
       }
author	Nardi Ivan <nardi.ivan@gmail.com>	2020-04-24 10:42:52 +0200
committer	Nardi Ivan <nardi.ivan@gmail.com>	2020-04-24 10:42:52 +0200
commit	097127c31d028bb8abae8d3aa8edcc367f17bfba (patch)
tree	1714a629ca045024520f57e02456f1a4a5f3e650
parent	c2ebbb15add2a307458f32a47ea690150927e500 (diff)