diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-02-27 14:18:23 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-27 14:18:23 +0100 |
| commit | 61a3c2eb5b3cac0f36a1bfadc5261b7694d3bfab (patch) | |
| tree | 7f8359cbece4f2f4b7c2a2a765891dba24db332c | |
| parent | 8b062295cc76a60e3905c054ce37bd17669464d1 (diff) | |
reader_util: fix TZSP decapsulation (#1460)
```
==38674==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400008957f at pc 0x5653fcee6434 bp 0x7ffe9b554b50 sp 0x7ffe9b554b48
READ of size 1 at 0x60400008957f thread T0
#0 0x5653fcee6433 in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/example/reader_util.c:2050:18
#1 0x5653fce9fc0d in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:107:7
#2 0x5653fcea03eb in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:179:17
#3 0x7fe71dc3d0b2 in __libc_start_main /build/glibc-YbNSs7/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x5653fcddf67d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_with_main+0x58a67d) (BuildId: 525418a27e8c37d6c492cc3220e0e97809c40f98)
0x60400008957f is located 0 bytes to the right of 47-byte region [0x604000089550,0x60400008957f)
allocated by thread T0 here:
```
Found by oss-fuzz
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45036
| -rw-r--r-- | example/reader_util.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/example/reader_util.c b/example/reader_util.c index aa95fb02c..1dc110e50 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -2047,6 +2047,8 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, tag_len = 1, stop = 1; break; default: + if(offset + 1 >= header->caplen) + return(nproto); /* Invalid packet */ tag_len = packet[offset+1]; break; } |