diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2020-03-26 17:42:10 +0100 |
|---|---|---|
| committer | Nardi Ivan <nardi.ivan@gmail.com> | 2020-03-27 11:09:53 +0100 |
| commit | 97fc94c7e83dc2f40760b0b769cc347e8615c89a (patch) | |
| tree | 8f86364df7668fb11b46e1b95481952bbc6ad175 /src/lib/protocols/kerberos.c | |
| parent | 9ec711aa90606f1893c2d58bf8dcb549dc224f95 (diff) | |
kerberos: fix use-after-free error
After leaving kerberos code, the original packet may be processed from
other dissector (i.e. TLS)
Diffstat (limited to 'src/lib/protocols/kerberos.c')
| -rw-r--r-- | src/lib/protocols/kerberos.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index 2bacbf510..2aa73dd39 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -45,6 +45,8 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &flow->packet; u_int16_t sport = packet->tcp ? ntohs(packet->tcp->source) : ntohs(packet->udp->source); u_int16_t dport = packet->tcp ? ntohs(packet->tcp->dest) : ntohs(packet->udp->dest); + const u_int8_t *original_packet_payload = NULL; + u_int16_t original_payload_packet_len = 0; if((sport != KERBEROS_PORT) && (dport != KERBEROS_PORT)) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); @@ -65,6 +67,8 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, flow->kerberos_buf.pktbuf_currlen += packet->payload_packet_len; if(flow->kerberos_buf.pktbuf_currlen == flow->kerberos_buf.pktbuf_maxlen) { + original_packet_payload = packet->payload; + original_payload_packet_len = packet->payload_packet_len; packet->payload = (u_int8_t *)flow->kerberos_buf.pktbuf; packet->payload_packet_len = flow->kerberos_buf.pktbuf_currlen; #ifdef KERBEROS_DEBUG @@ -319,8 +323,11 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, snprintf(flow->protos.kerberos.domain, sizeof(flow->protos.kerberos.domain), "%s", realm_str); /* If necessary we can decode sname */ - - if(flow->kerberos_buf.pktbuf) ndpi_free(flow->kerberos_buf.pktbuf); + if(flow->kerberos_buf.pktbuf) { + ndpi_free(flow->kerberos_buf.pktbuf); + packet->payload = original_packet_payload; + packet->payload_packet_len = original_payload_packet_len; + } flow->kerberos_buf.pktbuf = NULL; } } @@ -332,6 +339,8 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, /* We set the protocol in the response */ if(flow->kerberos_buf.pktbuf != NULL) { ndpi_free(flow->kerberos_buf.pktbuf); + packet->payload = original_packet_payload; + packet->payload_packet_len = original_payload_packet_len; flow->kerberos_buf.pktbuf = NULL; } |