SSH boundary check rework

author: Luca Deri <deri@ntop.org> 2020-04-30 20:08:03 +0200
committer: Luca Deri <deri@ntop.org> 2020-04-30 20:08:03 +0200
commit: c120cca66272646c4277d71fa769d020b1026b28 (patch)
tree: 63eb155775b47cbc4eccec6bc77ecd4ee941ab1d /src/lib/protocols/ssh.c
parent: 7344bf65bcd249d17415bdc9f084d4880570b23c (diff)
1 files changed, 20 insertions, 19 deletions
diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c
index 86ad970c0..8252d6725 100644
--- a/src/lib/protocols/ssh.c
+++ b/src/lib/protocols/ssh.c
@@ -95,10 +95,10 @@ static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct
 
 static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
 				    char *buf, u_int8_t client_hash) {
-  u_int32_t offset = 22, buf_out_len = 0;
-  int len;
-  
-  if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+  u_int32_t offset = 22, len, buf_out_len = 0, max_payload_len = packet->payload_packet_len-sizeof(u_int32_t);
+  const u_int32_t len_max = 65565;
+    
+  if(offset >= max_payload_len)
     goto invalid_payload;
 
   len = ntohl(*(u_int32_t*)&packet->payload[offset]);
@@ -113,17 +113,17 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
   buf[buf_out_len++] = ';';
   offset += len;
 
-  if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+  if(offset >= max_payload_len)
     goto invalid_payload;
   
   /* ssh.server_host_key_algorithms [None] */
   len = ntohl(*(u_int32_t*)&packet->payload[offset]);
 
-  if(len > UINT32_MAX - 8 - offset)
+  if(len > len_max)
     goto invalid_payload;
   offset += 4 + len;
 
-  if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+  if(offset >= max_payload_len)
     goto invalid_payload;
 
   /* ssh.encryption_algorithms_client_to_server [C] */
@@ -139,11 +139,11 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
     buf[buf_out_len++] = ';';
   }
 
-  if(len > UINT32_MAX - 4 - offset)
+  if(len > len_max)
     goto invalid_payload;
   offset += len;
 
-  if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+  if(offset >= max_payload_len)
     goto invalid_payload;
 
   /* ssh.encryption_algorithms_server_to_client [S] */
@@ -159,11 +159,11 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
     buf[buf_out_len++] = ';';
   }
 
-  if(len > UINT32_MAX - 4 - offset)
+  if(len > len_max)
     goto invalid_payload;
   offset += len;
 
-  if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+  if(offset >= max_payload_len)
     goto invalid_payload;
   /* ssh.mac_algorithms_client_to_server [C] */
   len = ntohl(*(u_int32_t*)&packet->payload[offset]);
@@ -177,11 +177,12 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
     buf_out_len += len;
     buf[buf_out_len++] = ';';
   }
-  if(len > UINT32_MAX - 4 - offset)
+  
+  if(len > len_max)
     goto invalid_payload;
   offset += len;
 
-  if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+  if(offset >= max_payload_len)
     goto invalid_payload;
   /* ssh.mac_algorithms_server_to_client [S] */
   len = ntohl(*(u_int32_t*)&packet->payload[offset]);
@@ -196,13 +197,14 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
     buf[buf_out_len++] = ';';
   }
 
-  if(len > UINT32_MAX - 4 - offset)
+  if(len > len_max)
     goto invalid_payload;
   offset += len;
 
   /* ssh.compression_algorithms_client_to_server [C] */
-  if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+  if(offset >= max_payload_len)
     goto invalid_payload;
+  
   len = ntohl(*(u_int32_t*)&packet->payload[offset]);
 
   offset += 4;
@@ -214,11 +216,11 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
     buf_out_len += len;
   }
 
-  if(len > UINT32_MAX - 4 - offset)
+  if(len > len_max)
     goto invalid_payload;
   offset += len;
 
-  if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+  if(offset >= max_payload_len)
     goto invalid_payload;
   /* ssh.compression_algorithms_server_to_client [S] */
   len = ntohl(*(u_int32_t*)&packet->payload[offset]);
@@ -232,7 +234,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
     buf_out_len += len;
   }
 
-  if(len > UINT32_MAX - offset)
+  if(len > len_max)
     goto invalid_payload;
   offset += len;
 
@@ -247,7 +249,6 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
   return(buf_out_len);
 
  invalid_payload:
-
 #ifdef SSH_DEBUG
   printf("[SSH] Invalid packet payload\n");
 #endif
author	Luca Deri <deri@ntop.org>	2020-04-30 20:08:03 +0200
committer	Luca Deri <deri@ntop.org>	2020-04-30 20:08:03 +0200
commit	c120cca66272646c4277d71fa769d020b1026b28 (patch)
tree	63eb155775b47cbc4eccec6bc77ecd4ee941ab1d /src/lib/protocols/ssh.c
parent	7344bf65bcd249d17415bdc9f084d4880570b23c (diff)