diff options
| author | Toni <matzeton@googlemail.com> | 2021-10-18 23:16:32 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-10-18 23:16:32 +0200 |
| commit | ed51987e3a4838dd9aef27dfab2c0651f2f52836 (patch) | |
| tree | fde07d774b7ef89b3d4b400f0c2af3f07f4f70ce /src/lib/protocols/kerberos.c | |
| parent | 7d3c3b23f8b9749690b8c5f345b7bc489b3666ac (diff) | |
Fix broken fuzz_process_packet fuzzer by adding a call to ndpi_finalize_initialization(). (#1334)
* fixed several memory errors (heap-overflow, unitialized memory, etc)
* ability to build fuzz_process_packet with a main()
allowing to replay crash data generated with fuzz_process_packet
by LLVMs libfuzzer
* temporarily disable fuzzing if `tests/do.sh`
executed with env FUZZY_TESTING_ENABLED=1
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src/lib/protocols/kerberos.c')
| -rw-r--r-- | src/lib/protocols/kerberos.c | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index fe1aba684..1f242ac46 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -213,15 +213,21 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, printf("name_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", name_offset, packet->payload[name_offset], packet->payload[name_offset+1]); #endif - if(name_offset < packet->payload_packet_len) { + if(name_offset < packet->payload_packet_len - 1) { u_int cname_len = 0; name_offset += 1; - if(packet->payload[name_offset+1] < ' ') /* Isn't printable ? */ + if(name_offset < packet->payload_packet_len - 1 && + isprint(packet->payload[name_offset+1]) == 0) /* Isn't printable ? */ + { name_offset++; + } - if(packet->payload[name_offset+1] == 0x1b) + if(name_offset < packet->payload_packet_len - 1 && + packet->payload[name_offset+1] == 0x1b) + { name_offset += 2; + } cname_len = packet->payload[name_offset]; @@ -230,11 +236,16 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, char cname_str[48]; u_int8_t num_cname = 0; + cname_str[0] = '\0'; // required, because cname_len + while(++num_cname <= 2) { if(cname_len > sizeof(cname_str)-1) - cname_len = sizeof(cname_str)-1; + cname_len = sizeof(cname_str)-1; - strncpy(cname_str, (char*)&packet->payload[name_offset+1], cname_len); + if (name_offset + cname_len + 1 >= packet->payload_packet_len) + cname_len = 0; + else + strncpy(cname_str, (char*)&packet->payload[name_offset+1], cname_len); cname_str[cname_len] = '\0'; for(i=0; i<cname_len; i++) cname_str[i] = tolower(cname_str[i]); @@ -243,16 +254,18 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, #endif if(((strcmp(cname_str, "host") == 0) || (strcmp(cname_str, "ldap") == 0)) && (packet->payload[name_offset+1+cname_len] == 0x1b)) { - name_offset += cname_len + 2; - cname_len = packet->payload[name_offset]; - } else - break; + name_offset += cname_len + 2; + if (name_offset < packet->payload_packet_len) + cname_len = packet->payload[name_offset]; + } else{ + break; + } } realm_offset = cname_len + name_offset + 3; /* if cname does not end with a $ then it's a username */ - if(cname_len + if(cname_len > 0 && name_offset + cname_len + 1 < packet->payload_packet_len && (cname_len < sizeof(cname_str)) && (cname_str[cname_len-1] == '$')) { cname_str[cname_len-1] = '\0'; @@ -305,7 +318,7 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t name_offset, padding_offset = body_offset + 4; name_offset = padding_offset; - for(i=0; i<14; i++) if(packet->payload[name_offset] != 0x1b) name_offset++; /* ASN.1 */ + for(i=0; i<14 && name_offset < packet->payload_packet_len; i++) if(packet->payload[name_offset] != 0x1b) name_offset++; /* ASN.1 */ #ifdef KERBEROS_DEBUG printf("name_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", name_offset, packet->payload[name_offset], packet->payload[name_offset+1]); |