diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2021-10-11 23:08:10 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-10-11 23:08:10 +0200 |
| commit | 550e6fe6fcd96e507763db66873791b96f19fe2b (patch) | |
| tree | a2f3c7fc2b66532399e7ff20e1a2ef09ef07dd44 /src/lib | |
| parent | a8f938f7acfc6cf6c64c00205f5bf75462d767e0 (diff) | |
QUIC: fix an integer overflow (#1337)
Long standing bug: credits to @lnslbrty for digging into it and to
@aouinizied for the CI improvements
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/protocols/quic.c | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index dbdb9e6f1..af19fe7ea 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1348,14 +1348,14 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, if(prev_offset > offset) break; len = offset - prev_offset; - if(tag_offset_start + prev_offset + len > crypto_data_len) + /* Promote to uint64_t to avoid unsigned wrapping */ + if((uint64_t)tag_offset_start + prev_offset + len > (uint64_t)crypto_data_len) break; #if 0 - printf("crypto_data_len %u prev_offset %u offset %u len %d\n", - crypto_data_len, prev_offset, offset, len); + printf("crypto_data_len %u tag_offset_start %u prev_offset %u offset %u len %u\n", + crypto_data_len, tag_offset_start, prev_offset, offset, len); #endif - if((memcmp(tag, "SNI\0", 4) == 0) && - (tag_offset_start + prev_offset + len < crypto_data_len)) { + if(memcmp(tag, "SNI\0", 4) == 0) { sni_len = MIN(len, sizeof(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name) - 1); memcpy(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, &crypto_data[tag_offset_start + prev_offset], sni_len); @@ -1381,15 +1381,13 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, if(memcmp(tag, "UAID", 4) == 0) { u_int uaid_offset = tag_offset_start + prev_offset; - if((uaid_offset + len) < crypto_data_len) { - NDPI_LOG_DBG2(ndpi_struct, "UA: [%.*s]\n", len, &crypto_data[uaid_offset]); + NDPI_LOG_DBG2(ndpi_struct, "UA: [%.*s]\n", len, &crypto_data[uaid_offset]); - http_process_user_agent(ndpi_struct, flow, &crypto_data[uaid_offset], len); /* http.c */ - ua_found = 1; + http_process_user_agent(ndpi_struct, flow, &crypto_data[uaid_offset], len); /* http.c */ + ua_found = 1; - if (sni_found) - return; - } + if (sni_found) + return; } prev_offset = offset; |