diff options
| author | theirix <theirix@gmail.com> | 2016-04-12 22:08:30 +0300 |
|---|---|---|
| committer | theirix <theirix@gmail.com> | 2016-04-12 22:08:30 +0300 |
| commit | fb3fc0c6de201a2ab34b6f7ce4d5dfc2c54c3b5e (patch) | |
| tree | 668e579f3df572a36821500bfe80a60e42a10aab /src/lib/protocols/msn.c | |
| parent | 5a37ee99764b7d262676b0ca052075c9c559c01d (diff) | |
Fixed buffer overflows with safe str search
1. Detected a lot of memory errors using address sanitizer
and ndpi-scapy tool.
2. Added ndpi_match_prefix function that compares strings
with taking care of payload packet len. Almost drop-in
replacement for match_first_bytes function.
3. Replaced unsafe match_first_bytes usage with a ndpi_match_prefix
and additional length checks.
Diffstat (limited to 'src/lib/protocols/msn.c')
| -rw-r--r-- | src/lib/protocols/msn.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/lib/protocols/msn.c b/src/lib/protocols/msn.c index af537d7ff..ff81a12b3 100644 --- a/src/lib/protocols/msn.c +++ b/src/lib/protocols/msn.c @@ -130,7 +130,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct if (get_u_int8_t(packet->payload, packet->payload_packet_len - 2) == 0x0d && get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x0a) { /* The MSNP string is used in XBOX clients. */ - if (memcmp(packet->payload, "VER ", 4) == 0) { + if (ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "VER ")) { if (memcmp(&packet->payload[packet->payload_packet_len - 6], "CVR", 3) == 0 || memcmp(&packet->payload[packet->payload_packet_len - 8], "MSNP", 4) == 0) { @@ -139,7 +139,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct ndpi_int_msn_add_connection(ndpi_struct, flow); return; } - if (memcmp(&packet->payload[4], "MSNFT", 5) == 0) { + if (ndpi_match_strprefix(&packet->payload[4], packet->payload_packet_len-4, "MSNFT")) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found MSN FT by pattern VER MSNFT...0d0a.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); @@ -153,8 +153,8 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct #ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || #endif - memcmp(packet->payload, "GET ", NDPI_STATICSTRING_LEN("GET ")) == 0 || - memcmp(packet->payload, "POST ", NDPI_STATICSTRING_LEN("POST ")) == 0) { + ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "GET ") || + ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "POST ")) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len > NDPI_STATICSTRING_LEN("Messenger/") && @@ -277,8 +277,8 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct #ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || #endif - (memcmp(packet->payload, "HTTP/1.0 200 OK", 15) == 0) || - (memcmp(packet->payload, "HTTP/1.1 200 OK", 15) == 0) + ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "HTTP/1.0 200 OK") || + ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "HTTP/1.1 200 OK") ) { ndpi_parse_packet_line_info(ndpi_struct, flow); |