diff options
| author | Luca Deri <lucaderi@users.noreply.github.com> | 2020-04-15 18:05:16 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-04-15 18:05:16 +0200 |
| commit | f4c24663fc651904e325aa944bf5a30def726c6a (patch) | |
| tree | b890107aba3e3b0f2f27694f3a808ce9cc0ebc8b /src/lib/protocols | |
| parent | 9f2dabbda469ca3853f3bb7191e74b3f4d47b48c (diff) | |
| parent | 4f370fe7c49cb38125cff2a1411261011e433c94 (diff) | |
Merge pull request #874 from catenacyber/fuzz6fix
Fuzz6fix
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/irc.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/netbios.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/postgres.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 4 |
5 files changed, 8 insertions, 7 deletions
diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index ed86aed42..2ebb929fa 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -677,7 +677,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (memcmp(&packet->line[i].ptr[j], "SEND ", 5) == 0 || (memcmp(&packet->line[i].ptr[j], "CHAT", 4) == 0) || (memcmp(&packet->line[i].ptr[j], "chat", 4) == 0) - || (memcmp(&packet->line[i].ptr[j], "sslchat", 7) == 0) + || (j+7 < packet->line[i].len && memcmp(&packet->line[i].ptr[j], "sslchat", 7) == 0) || (memcmp(&packet->line[i].ptr[j], "TSEND", 5) == 0)) { NDPI_LOG_DBG2(ndpi_struct, "found CHAT,chat,sslchat,TSEND."); j += 4; diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index a53a2bfe1..fa47cc4a0 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -80,7 +80,8 @@ static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct char name[64]; u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14; - if(ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) + if(off > flow->packet.payload_packet_len && + ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); if(sub_protocol == NDPI_PROTOCOL_UNKNOWN) diff --git a/src/lib/protocols/postgres.c b/src/lib/protocols/postgres.c index b6fa74473..a51fabaab 100644 --- a/src/lib/protocols/postgres.c +++ b/src/lib/protocols/postgres.c @@ -97,7 +97,7 @@ void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct return; } size = (u_int16_t)ntohl(get_u_int32_t(packet->payload, 1)) + 1; - if (packet->payload[size - 1] == 'S') { + if (size > 0 && size - 1 < packet->payload_packet_len && packet->payload[size - 1] == 'S') { if ((size + get_u_int32_t(packet->payload, (size + 1))) == packet->payload_packet_len) { NDPI_LOG_INFO(ndpi_struct, "found postgres asymmetrically\n"); ndpi_int_postgres_add_connection(ndpi_struct, flow); @@ -105,7 +105,7 @@ void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct } } size += get_u_int32_t(packet->payload, (size + 1)) + 1; - if (packet->payload[size - 1] == 'S') { + if (size > 0 && size - 1 < packet->payload_packet_len && packet->payload[size - 1] == 'S') { NDPI_LOG_INFO(ndpi_struct, "found postgres asymmetrically\n"); ndpi_int_postgres_add_connection(ndpi_struct, flow); return; diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index be746550b..a7873685c 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -130,7 +130,7 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, while((sni_offset < udp_len) && (packet->payload[sni_offset] == '-')) sni_offset++; - if((sni_offset+len) < udp_len) { + if(len > 0 && (sni_offset+len) < udp_len) { int max_len = sizeof(flow->host_server_name)-1, j = 0; ndpi_protocol_match_result ret_match; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 77d69a6fe..560e483ac 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1069,7 +1069,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, s_offset += 2; tot_alpn_len += s_offset; - while(s_offset < tot_alpn_len) { + while(s_offset < tot_alpn_len && s_offset < total_len) { u_int8_t alpn_i, alpn_len = packet->payload[s_offset++]; if((s_offset + alpn_len) <= tot_alpn_len) { @@ -1105,7 +1105,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t version_len = packet->payload[s_offset]; char version_str[256]; u_int8_t version_str_len = 0; - + version_str[0] = 0; #ifdef DEBUG_TLS printf("Client SSL [TLS version len: %u]\n", version_len); #endif |