Fix buffer overread in ndpi_search_setup_capwap

author: Philippe Antoine <contact@catenacyber.fr> 2020-03-12 14:03:31 +0100
committer: Philippe Antoine <contact@catenacyber.fr> 2020-03-12 14:03:31 +0100
commit: 4976d93d4e7ce5e63cb562fb7f0f916c3103e2de (patch)
tree: b7b9675b402dd9e83f46ff6e9a777d0cadc6f823 /src/lib/protocols/capwap.c
parent: 1e933e8b026f6f88f27d64ec2260013f38d268d0 (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/src/lib/protocols/capwap.c b/src/lib/protocols/capwap.c
index bfad1a593..33b20fcab 100644
--- a/src/lib/protocols/capwap.c
+++ b/src/lib/protocols/capwap.c
@@ -66,10 +66,12 @@ static void ndpi_search_setup_capwap(struct ndpi_detection_module_struct *ndpi_s
     else
       offset = 15, to_add = 17;
 
-    msg_len = ntohs(*(u_int16_t*)&packet->payload[offset]);
+    if (packet->payload_packet_len >= offset + sizeof(u_int16_t)) {
+      msg_len = ntohs(*(u_int16_t*)&packet->payload[offset]);
 
-    if((msg_len+to_add) == packet->payload_packet_len)
-      goto capwap_found;
+      if((msg_len+to_add) == packet->payload_packet_len)
+        goto capwap_found;
+    }
   }
   
   if(
author	Philippe Antoine <contact@catenacyber.fr>	2020-03-12 14:03:31 +0100
committer	Philippe Antoine <contact@catenacyber.fr>	2020-03-12 14:03:31 +0100
commit	4976d93d4e7ce5e63cb562fb7f0f916c3103e2de (patch)
tree	b7b9675b402dd9e83f46ff6e9a777d0cadc6f823 /src/lib/protocols/capwap.c
parent	1e933e8b026f6f88f27d64ec2260013f38d268d0 (diff)