diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-05-08 11:46:46 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-08 11:46:46 +0200 |
| commit | b65a755e8569d428732f54bc72f7da3ffb94a3ff (patch) | |
| tree | 27c295cf80940d34195c6d054e72e65f7ba8c8ac /src | |
| parent | 7c6910d9e5d5b08a164a22db5db9969e20cbc232 (diff) | |
Fix a memory access error and some leaks (#2425)
```
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x557f3a5b5100 in ndpi_get_host_domain /src/ndpi/src/lib/ndpi_domains.c:158:8
#1 0x557f3a59b561 in ndpi_check_dga_name /src/ndpi/src/lib/ndpi_main.c:10412:17
#2 0x557f3a51163a in process_chlo /src/ndpi/src/lib/protocols/quic.c:1467:7
#3 0x557f3a469f4b in LLVMFuzzerTestOneInput /src/ndpi/fuzz/fuzz_quic_get_crypto_data.c:44:7
#4 0x557f3a46abc8 in NaloFuzzerTestOneInput (/out/fuzz_quic_get_crypto_data+0x4cfbc8)
```
Some notes about the leak: if the insertion into the uthash fails (because of an
allocation failure), we need to free the just allocated entry. But the only
way to check if the `HASH_ADD_*` failed, is to perform a new lookup: a bit
costly, but we don't use that code in the fast-path.
See also efb261a95c5a
Credits for finding the issues to Philippe Antoine (@catenacyber) and his
`nallocfuzz` fuzzing engine
See: https://github.com/catenacyber/nallocfuzz
See: https://github.com/google/oss-fuzz/pull/9902
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/ndpi_domains.c | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 9 |
2 files changed, 9 insertions, 2 deletions
diff --git a/src/lib/ndpi_domains.c b/src/lib/ndpi_domains.c index 05153d577..f4398b1c8 100644 --- a/src/lib/ndpi_domains.c +++ b/src/lib/ndpi_domains.c @@ -148,7 +148,7 @@ const char* ndpi_get_host_domain(struct ndpi_detection_module_struct *ndpi_str, dot = strstr(hostname, ret); - if(dot == NULL) + if(dot == NULL || dot == hostname) return(hostname); dot--; diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 3314cbea2..a9f8d0a7c 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2320,7 +2320,7 @@ int ndpi_hash_find_entry(ndpi_str_hash *h, char *key, u_int key_len, u_int16_t * int ndpi_hash_add_entry(ndpi_str_hash **h, char *key, u_int8_t key_len, u_int16_t value) { ndpi_str_hash_priv *h_priv = (ndpi_str_hash_priv *)*h; - ndpi_str_hash_priv *item; + ndpi_str_hash_priv *item, *ret_found; if(!key || key_len == 0) return(3); @@ -2350,6 +2350,13 @@ int ndpi_hash_add_entry(ndpi_str_hash **h, char *key, u_int8_t key_len, u_int16_ HASH_ADD(hh, *((ndpi_str_hash_priv **)h), key[0], key_len, item); + HASH_FIND(hh, *((ndpi_str_hash_priv **)h), key, key_len, ret_found); + if(ret_found == NULL) { /* The insertion failed (because of a memory allocation error) */ + ndpi_free(item->key); + ndpi_free(item); + return 4; + } + return 0; } |