Merge pull request #943 from lnslbrty/fix/missing-lengthcheck-in-tls-esni

Fixed heap overflow in tls esni extraction triggered by manipulated p…
author: Luca Deri <lucaderi@users.noreply.github.com> 2020-07-01 12:37:29 +0200
committer: GitHub <noreply@github.com> 2020-07-01 12:37:29 +0200
commit: 08698c65e5922774ad3e2b8fd18848c755145942 (patch)
tree: 8cb1961052235cc803b60d939b8af716578361b8 /src/lib/protocols/tls.c
parent: 2d68f8f63599f781acb50d7e16552b460286cd8d (diff)
parent: 05d7400563e23bffd4b1226ffe9d93eb8fa7d601 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 007931e19..830232554 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1298,7 +1298,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		    e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
 		    e_offset += 2;
 
-		    if((e_offset+e_sni_len-extension_len-initial_offset) >= 0) {
+		    if((e_offset+e_sni_len-extension_len-initial_offset) >= 0 &&
+		        e_offset+e_sni_len < packet->payload_packet_len) {
 #ifdef DEBUG_ENCRYPTED_SNI
 		      printf("Client SSL [Encrypted Server Name len: %u]\n", e_sni_len);
 #endif
author	Luca Deri <lucaderi@users.noreply.github.com>	2020-07-01 12:37:29 +0200
committer	GitHub <noreply@github.com>	2020-07-01 12:37:29 +0200
commit	08698c65e5922774ad3e2b8fd18848c755145942 (patch)
tree	8cb1961052235cc803b60d939b8af716578361b8 /src/lib/protocols/tls.c
parent	2d68f8f63599f781acb50d7e16552b460286cd8d (diff)
parent	05d7400563e23bffd4b1226ffe9d93eb8fa7d601 (diff)