Merge pull request #920 from lnslbrty/fix/tls-rdn-crash

Fixed stack overflow caused by missing length check
author: Luca Deri <lucaderi@users.noreply.github.com> 2020-06-19 11:44:37 +0200
committer: GitHub <noreply@github.com> 2020-06-19 11:44:37 +0200
commit: fd0591b4fcebba93a949bcdf2ad12e9f790e68a0 (patch)
tree: 5e480a2391af06a138063aba1e946b43bf86a18f /src/lib/protocols/tls.c
parent: 48758d28ea11a681bade2c6805f92851c07e8db7 (diff)
parent: 23594f036536468072198a57c59b6e9d63caf6ce (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 61f4424c7..eac9e0f77 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -196,6 +196,14 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet,
   char *str;
   u_int len, j;
 
+  if (*rdnSeqBuf_offset >= rdnSeqBuf_len) {
+#ifdef DEBUG_TLS
+    printf("[TLS] %s() [buffer capacity reached][%u]\n",
+           __FUNCTION__, rdnSeqBuf_len);
+#endif
+    return -1;
+  }
+
   // packet is truncated... further inspection is not needed
   if((offset+4+str_len) >= packet->payload_packet_len)
     return(-1);
@@ -235,7 +243,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 				       u_int16_t p_offset, u_int16_t certificate_len) {
   struct ndpi_packet_struct *packet = &flow->packet;
   u_int num_found = 0, i;
-  char buffer[64] = { '\0' }, rdnSeqBuf[1024] = { '\0' };
+  char buffer[64] = { '\0' }, rdnSeqBuf[2048] = { '\0' };
   u_int rdn_len = 0;
 
 #ifdef DEBUG_TLS
author	Luca Deri <lucaderi@users.noreply.github.com>	2020-06-19 11:44:37 +0200
committer	GitHub <noreply@github.com>	2020-06-19 11:44:37 +0200
commit	fd0591b4fcebba93a949bcdf2ad12e9f790e68a0 (patch)
tree	5e480a2391af06a138063aba1e946b43bf86a18f /src/lib/protocols/tls.c
parent	48758d28ea11a681bade2c6805f92851c07e8db7 (diff)
parent	23594f036536468072198a57c59b6e9d63caf6ce (diff)