diff options
| author | Luca Deri <deri@ntop.org> | 2020-05-15 21:10:37 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-05-15 21:10:37 +0200 |
| commit | 8e7b1ea7a136cc4e4aa9880072ec2d69900a825e (patch) | |
| tree | 1c76ea062e8231fc5229f7b55d49f806b867bc95 /src/lib/protocols/openvpn.c | |
| parent | e90c5c7c3223d033467aa359d8b1e264f961fde1 (diff) | |
Fix for potential heap-buffer-overflow in ndpi_search_openvpn
Diffstat (limited to 'src/lib/protocols/openvpn.c')
| -rw-r--r-- | src/lib/protocols/openvpn.c | 51 |
1 files changed, 30 insertions, 21 deletions
diff --git a/src/lib/protocols/openvpn.c b/src/lib/protocols/openvpn.c index 2753dd02e..f0e3428cf 100644 --- a/src/lib/protocols/openvpn.c +++ b/src/lib/protocols/openvpn.c @@ -72,11 +72,12 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct, u_int8_t alen; int8_t hmac_size; int8_t failed = 0; - - if(packet->payload_packet_len >= 40) { + /* No u_ */int16_t ovpn_payload_len = packet->payload_packet_len; + + if(ovpn_payload_len >= 40) { // skip openvpn TCP transport packet size if(packet->tcp != NULL) - ovpn_payload += 2; + ovpn_payload += 2, ovpn_payload_len -= 2;; opcode = ovpn_payload[0] & P_OPCODE_MASK; @@ -85,16 +86,16 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct, printf("[packet_id: %u][opcode: %u][Packet ID: %d][%u <-> %u][len: %u]\n", flow->num_processed_pkts, opcode, check_pkid_and_detect_hmac_size(ovpn_payload), - htons(packet->udp->source), htons(packet->udp->dest), packet->payload_packet_len); + htons(packet->udp->source), htons(packet->udp->dest), ovpn_payload_len); #endif if( (flow->num_processed_pkts == 1) && ( - ((packet->payload_packet_len == 112) + ((ovpn_payload_len == 112) && ((opcode == 168) || (opcode == 192)) ) - || ((packet->payload_packet_len == 80) + || ((ovpn_payload_len == 80) && ((opcode == 184) || (opcode == 88) || (opcode == 160) || (opcode == 168) || (opcode == 200))) )) { NDPI_LOG_INFO(ndpi_struct,"found openvpn\n"); @@ -119,22 +120,30 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct, hmac_size = check_pkid_and_detect_hmac_size(ovpn_payload); if(hmac_size > 0) { - alen = ovpn_payload[P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size)]; + u_int16_t offset = P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size); + + alen = ovpn_payload[offset]; + if (alen > 0) { - session_remote = ovpn_payload + P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size) + 1 + alen * 4; - - if(memcmp(flow->ovpn_session_id, session_remote, 8) == 0) { - NDPI_LOG_INFO(ndpi_struct,"found openvpn\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN); - return; - } else { - NDPI_LOG_DBG2(ndpi_struct, - "key mismatch: %02x%02x%02x%02x%02x%02x%02x%02x\n", - session_remote[0], session_remote[1], session_remote[2], session_remote[3], - session_remote[4], session_remote[5], session_remote[6], session_remote[7]); - failed = 1; - } - } else + offset += 1 + alen * 4; + + if((offset+8) <= ovpn_payload_len) { + session_remote = &ovpn_payload[offset]; + + if(memcmp(flow->ovpn_session_id, session_remote, 8) == 0) { + NDPI_LOG_INFO(ndpi_struct,"found openvpn\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN); + return; + } else { + NDPI_LOG_DBG2(ndpi_struct, + "key mismatch: %02x%02x%02x%02x%02x%02x%02x%02x\n", + session_remote[0], session_remote[1], session_remote[2], session_remote[3], + session_remote[4], session_remote[5], session_remote[6], session_remote[7]); + failed = 1; + } + } else + failed = 1; + } else failed = 1; } else failed = 1; |