Merge pull request #856 from catenacyber/fuzzfix5

Fuzzfix5
author: Luca Deri <lucaderi@users.noreply.github.com> 2020-03-12 18:13:30 +0100
committer: GitHub <noreply@github.com> 2020-03-12 18:13:30 +0100
commit: 70ee793ff3dac24af0d0526cc40ff3639fa3feed (patch)
tree: 98d9edf7d15895b694f4752615c5aee617df9945 /src/lib/protocols
parent: 1e933e8b026f6f88f27d64ec2260013f38d268d0 (diff)
parent: 7806eb5f5b02fd78de1db20caeebc56088ebec3e (diff)
5 files changed, 22 insertions, 16 deletions
diff --git a/src/lib/protocols/capwap.c b/src/lib/protocols/capwap.c
index bfad1a593..33b20fcab 100644
--- a/src/lib/protocols/capwap.c
+++ b/src/lib/protocols/capwap.c
@@ -66,10 +66,12 @@ static void ndpi_search_setup_capwap(struct ndpi_detection_module_struct *ndpi_s
     else
       offset = 15, to_add = 17;
 
-    msg_len = ntohs(*(u_int16_t*)&packet->payload[offset]);
+    if (packet->payload_packet_len >= offset + sizeof(u_int16_t)) {
+      msg_len = ntohs(*(u_int16_t*)&packet->payload[offset]);
 
-    if((msg_len+to_add) == packet->payload_packet_len)
-      goto capwap_found;
+      if((msg_len+to_add) == packet->payload_packet_len)
+        goto capwap_found;
+    }
   }
   
   if(
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 2f8fd5612..8290ca9dc 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -113,7 +113,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
        && (((dns_header->flags & 0x2800) == 0x2800 /* Dynamic DNS Update */)
 	   || ((dns_header->num_answers == 0) && (dns_header->authority_rrs == 0)))) {
       /* This is a good query */
-      while(x < flow->packet.payload_packet_len) {
+      while(x+2 < flow->packet.payload_packet_len) {
         if(flow->packet.payload[x] == '\0') {
           x++;
           flow->protos.dns.query_type = get16(&x, flow->packet.payload);
diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c
index edc9f755f..02d96b043 100644
--- a/src/lib/protocols/netbios.c
+++ b/src/lib/protocols/netbios.c
@@ -38,7 +38,7 @@ struct netbios_header {
 /* ****************************************************************** */
 
 /* The function below has been inherited by tcpdump */
-int ndpi_netbios_name_interpret(char *in, char *out, u_int out_len) {
+static int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len) {
   int ret = 0, len;
   char *b;
   
@@ -46,7 +46,7 @@ int ndpi_netbios_name_interpret(char *in, char *out, u_int out_len) {
   b  = out;
   *out = 0;
 
-  if(len > (out_len-1) || len < 1)
+  if(len > (out_len-1) || len < 1 || 2*len > inlen)
     return(-1);  
   
   while (len--) {
@@ -80,7 +80,7 @@ static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct
   char name[64];
   u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14;
   
-  if(ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], name, sizeof(name)) > 0)
+  if(ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], flow->packet.payload_packet_len - off, name, sizeof(name)) > 0)
     snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name);    
 
   if(sub_protocol == NDPI_PROTOCOL_UNKNOWN)
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 970f114cc..8c351053a 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -825,7 +825,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
       }
 
       rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
-      if(rc > 0) ja3_str_len += rc;
+      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
 
       /* ********** */
 
@@ -1113,7 +1113,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 		  s_offset++;
 		  
-		  for(j=0; j<version_len; j += 2) {
+		  // careful not to overflow and loop forever with u_int8_t
+		  for(j=0; j+1<version_len; j += 2) {
 		    u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[s_offset+j]));
 		    u_int8_t unknown_tls_version;
 		    
@@ -1155,38 +1156,38 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	      for(i=0; i<ja3.num_cipher; i++) {
 		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
 			      (i > 0) ? "-" : "", ja3.cipher[i]);
-		if(rc > 0) ja3_str_len += rc; else break;
+		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
 	      }
 
 	      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
-	      if(rc > 0) ja3_str_len += rc;
+	      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
 
 	      /* ********** */
 
 	      for(i=0; i<ja3.num_tls_extension; i++) {
 		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
 			      (i > 0) ? "-" : "", ja3.tls_extension[i]);
-		if(rc > 0) ja3_str_len += rc; else break;
+		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
 	      }
 
 	      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
-	      if(rc > 0) ja3_str_len += rc;
+	      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
 
 	      /* ********** */
 
 	      for(i=0; i<ja3.num_elliptic_curve; i++) {
 		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
 			      (i > 0) ? "-" : "", ja3.elliptic_curve[i]);
-		if(rc > 0) ja3_str_len += rc; else break;
+		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
 	      }
 
 	      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
-	      if(rc > 0) ja3_str_len += rc;
+	      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
 
 	      for(i=0; i<ja3.num_elliptic_curve_point_format; i++) {
 		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
 			      (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]);
-		if(rc > 0) ja3_str_len += rc; else break;
+		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
 	      }
 
 #ifdef DEBUG_TLS
diff --git a/src/lib/protocols/yahoo.c b/src/lib/protocols/yahoo.c
index ceb9d48b6..bd7f3ef66 100644
--- a/src/lib/protocols/yahoo.c
+++ b/src/lib/protocols/yahoo.c
@@ -62,6 +62,9 @@ __forceinline static
 #endif
 u_int8_t check_ymsg(const u_int8_t * payload, u_int16_t payload_packet_len)
 {
+  if (payload_packet_len < sizeof(struct ndpi_yahoo_header)) {
+    return 0;
+  }
   const struct ndpi_yahoo_header *yahoo = (struct ndpi_yahoo_header *) payload;
   
   u_int16_t yahoo_len_parsed = 0;
author	Luca Deri <lucaderi@users.noreply.github.com>	2020-03-12 18:13:30 +0100
committer	GitHub <noreply@github.com>	2020-03-12 18:13:30 +0100
commit	70ee793ff3dac24af0d0526cc40ff3639fa3feed (patch)
tree	98d9edf7d15895b694f4752615c5aee617df9945 /src/lib/protocols
parent	1e933e8b026f6f88f27d64ec2260013f38d268d0 (diff)
parent	7806eb5f5b02fd78de1db20caeebc56088ebec3e (diff)