Prevent invalid reads past end-of-buffer.

The recent revert commit applied to ndpi_parse_packet_line_info resurrects an old bug where the last lines in packets that end with a CR+NL will not be parsed.  This revert commit is an attempt to prevent invalid reads past the end of the packet buffer.  This PR moves the end-of-bounds test to before the 16-bit read and returns if true.  This fixes the case where a text line ends aligned to the buffer-end boundary, and it fixes the invalid read issue.

Signed-off-by: Darryl Sokoloski <darryl@sokoloski.ca>

1 files changed, 5 insertions, 4 deletions

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 722fdb68f..b904bbefc 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4641,7 +4641,11 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc
   packet->line[packet->parsed_lines].ptr = packet->payload;
   packet->line[packet->parsed_lines].len = 0;
 
-  for(a = 0; a < packet->payload_packet_len-2; a++) {
+  for(a = 0; a < packet->payload_packet_len; a++) {
+
+    if((a + 1) == packet->payload_packet_len)
+	  return; /* Return if only one byte remains (prevent invalid reads past end-of-buffer) */
+
     if(get_u_int16_t(packet->payload, a) == ntohs(0x0d0a)) { /* If end of line char sequence CR+NL "\r\n", process line */
       packet->line[packet->parsed_lines].len = (u_int16_t)(((unsigned long) &packet->payload[a]) - ((unsigned long) packet->line[packet->parsed_lines].ptr));
 
@@ -4821,9 +4825,6 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc
       packet->line[packet->parsed_lines].ptr = &packet->payload[a + 2];
       packet->line[packet->parsed_lines].len = 0;
 
-      if((a + 2) >= packet->payload_packet_len)
-	    return;
-
       a++; /* next char in the payload */
     }
   }