Fixed heap overflow in tls esni extraction triggered by manipulated packets.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2020-06-29 21:51:46 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2020-06-29 21:51:46 +0200
commit: 05d7400563e23bffd4b1226ffe9d93eb8fa7d601 (patch)
tree: 47d1e97064fc5188fab0af8f129694c221028813 /src/lib/protocols/tls.c
parent: 0d2d44f1b6c89a851a6a9634d66cb42cc81b3244 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 007931e19..830232554 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1298,7 +1298,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		    e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
 		    e_offset += 2;
 
-		    if((e_offset+e_sni_len-extension_len-initial_offset) >= 0) {
+		    if((e_offset+e_sni_len-extension_len-initial_offset) >= 0 &&
+		        e_offset+e_sni_len < packet->payload_packet_len) {
 #ifdef DEBUG_ENCRYPTED_SNI
 		      printf("Client SSL [Encrypted Server Name len: %u]\n", e_sni_len);
 #endif
author	Toni Uhlig <matzeton@googlemail.com>	2020-06-29 21:51:46 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2020-06-29 21:51:46 +0200
commit	05d7400563e23bffd4b1226ffe9d93eb8fa7d601 (patch)
tree	47d1e97064fc5188fab0af8f129694c221028813 /src/lib/protocols/tls.c
parent	0d2d44f1b6c89a851a6a9634d66cb42cc81b3244 (diff)