diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-01-19 14:12:51 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-19 14:12:51 +0100 |
| commit | f95bdaf625a540cbd040508bfbb8808223f97aed (patch) | |
| tree | 7bd29f44449239d0296842707f75622274995658 /src/lib/protocols | |
| parent | edb8165ab9b70cf8c152b6a3dfbec9c8a4853eef (diff) | |
Bittorrent: fix heap-buffer-overflow (#1863)
```
==258287==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600068ff9d at pc 0x5653a6e35def bp 0x7ffeef5aa620 sp 0x7ffeef5a9dc8
READ of size 22 at 0x60600068ff9d thread T0
#0 0x5653a6e35dee in strncmp (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader+0x4d2dee) (BuildId: 133b8c3c8ff99408109fcb9be2538bb8341f07f7)
#1 0x5653a70d6624 in ndpi_search_bittorrent /home/ivan/svnrepos/nDPI/src/lib/protocols/bittorrent.c:500:71
#2 0x5653a6ff255a in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5686:6
#3 0x5653a6ff331b in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5722:10
#4 0x5653a6ff2cbc in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5755:12
#5 0x5653a70016bf in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6578:15
#6 0x5653a6f1836d in packet_processing /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:1678:31
#7 0x5653a6f140a1 in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:2256:10
```
Found by oss-fuzz
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55218
Fix: 470eaa6f
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/bittorrent.c | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index 852b7cbac..64e46a4ed 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -494,14 +494,13 @@ static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_str wireshark/epan/dissectors/packet-bt-utp.c */ - if(packet->payload_packet_len >= 20 /* min header size */) { if( - (strncmp((const char*)packet->payload, bt_search, strlen(bt_search)) == 0) - || (strncmp((const char*)packet->payload, bt_search1, strlen(bt_search1)) == 0) + (packet->payload_packet_len > 22 && strncmp((const char*)packet->payload, bt_search, strlen(bt_search)) == 0) || + (packet->payload_packet_len > 12 && strncmp((const char*)packet->payload, bt_search1, strlen(bt_search1)) == 0) ) { ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI); return; - } else { + } else if(packet->payload_packet_len >= 20) { /* Check if this is protocol v0 */ u_int8_t v0_extension = packet->payload[17]; u_int8_t v0_flags = packet->payload[18]; @@ -534,7 +533,6 @@ static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_str } } - } flow->bittorrent_stage++; |