diff options
| author | Philippe Antoine <contact@catenacyber.fr> | 2020-03-19 16:54:31 +0100 |
|---|---|---|
| committer | Philippe Antoine <contact@catenacyber.fr> | 2020-03-19 16:54:31 +0100 |
| commit | c6acf97bfbe5ad26db3c2f5dd4d379ac674d6fb3 (patch) | |
| tree | 39c8df162295fa16620a5a0491b107a39ead71e5 /src/lib/protocols | |
| parent | e9195589d29d86da1849ad0d195900e6567354cf (diff) | |
Adds different checks against overflows
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/dns.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/fix.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/yahoo.c | 3 |
4 files changed, 7 insertions, 2 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 8290ca9dc..460117c96 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -141,7 +141,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */ x++; - if(flow->packet.payload[x] != '\0') { + if(x < flow->packet.payload_packet_len && flow->packet.payload[x] != '\0') { while((x < flow->packet.payload_packet_len) && (flow->packet.payload[x] != '\0')) { x++; diff --git a/src/lib/protocols/fix.c b/src/lib/protocols/fix.c index c1f4d2700..35cb1529b 100644 --- a/src/lib/protocols/fix.c +++ b/src/lib/protocols/fix.c @@ -33,7 +33,7 @@ void ndpi_search_fix(struct ndpi_detection_module_struct *ndpi_struct, struct nd struct ndpi_packet_struct *packet = &flow->packet; NDPI_LOG_DBG(ndpi_struct, "search FIX\n"); - if(packet->tcp) { + if(packet->tcp && packet->payload_packet_len > 5) { // 8= if(packet->payload[0] == 0x38 && packet->payload[1] == 0x3d) { // FIX. diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index f3b50b609..959b9c090 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -96,6 +96,8 @@ static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, char *buf, u_int8_t client_hash) { u_int16_t offset = 22, buf_out_len = 0; + if(offset+sizeof(u_int32_t) >= packet->payload_packet_len) + goto invalid_payload; u_int32_t len = ntohl(*(u_int32_t*)&packet->payload[offset]); offset += 4; diff --git a/src/lib/protocols/yahoo.c b/src/lib/protocols/yahoo.c index bd7f3ef66..d80e9caee 100644 --- a/src/lib/protocols/yahoo.c +++ b/src/lib/protocols/yahoo.c @@ -76,6 +76,9 @@ u_int8_t check_ymsg(const u_int8_t * payload, u_int16_t payload_packet_len) if(ylen >= payload_packet_len || yahoo_len_parsed >= payload_packet_len) break; + if (payload_packet_len < yahoo_len_parsed + sizeof(struct ndpi_yahoo_header)) { + return 0; + } yahoo = (struct ndpi_yahoo_header *) (payload + yahoo_len_parsed); } while(memcmp(yahoo->YMSG_str, "YMSG", 4) == 0); |