Merge pull request #874 from catenacyber/fuzz6fix

Fuzz6fix

1 files changed, 7 insertions, 5 deletions

diff --git a/example/reader_util.c b/example/reader_util.c
index 97aa940bd..8b7bc1c75 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1691,12 +1691,11 @@ ether_type_check:
       return(nproto); /* Too short for IPv6 header*/
     iph6 = (struct ndpi_ipv6hdr *)&packet[ip_offset];
     proto = iph6->ip6_hdr.ip6_un1_nxt;
-    ip_len = sizeof(struct ndpi_ipv6hdr);
+    ip_len = ntohs(iph6->ip6_hdr.ip6_un1_plen);
 
-    if(proto == IPPROTO_DSTOPTS /* IPv6 destination option */) {
-      u_int8_t *options = (u_int8_t*)&packet[ip_offset+ip_len];
-      proto = options[0];
-      ip_len += 8 * (options[1] + 1);
+    const u_int8_t *l4ptr = (((const u_int8_t *) iph6) + sizeof(struct ndpi_ipv6hdr));
+    if(ndpi_handle_ipv6_extension_headers(NULL, &l4ptr, &ip_len, &proto) != 0) {
+      return(nproto);
     }
 
     iph = NULL;
@@ -1745,6 +1744,9 @@ ether_type_check:
       }
     } else if((sport == TZSP_PORT) || (dport == TZSP_PORT)) {
       /* https://en.wikipedia.org/wiki/TZSP */
+      if (header->caplen < ip_offset + ip_len + sizeof(struct ndpi_udphdr) + 4)
+        return(nproto); /* Too short for TZSP*/
+
       u_int offset           = ip_offset+ip_len+sizeof(struct ndpi_udphdr);
       u_int8_t version       = packet[offset];
       u_int8_t ts_type       = packet[offset+1];