Fixed stack overflow caused by missing length check

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2020-06-17 23:00:20 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2020-06-18 00:52:04 +0200
commit: 23594f036536468072198a57c59b6e9d63caf6ce (patch)
tree: a8556c44e3cc128f19ecf66b40ab592c82e3b7d7 /src
parent: 0ddc3a0052cfd3ad539ae0540aa4879bcae80ee5 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 816b23a50..c8a0e43b2 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -196,6 +196,14 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet,
   char *str;
   u_int len, j;
 
+  if (*rdnSeqBuf_offset >= rdnSeqBuf_len) {
+#ifdef DEBUG_TLS
+    printf("[TLS] %s() [buffer capacity reached][%u]\n",
+           __FUNCTION__, rdnSeqBuf_len);
+#endif
+    return -1;
+  }
+
   // packet is truncated... further inspection is not needed
   if((offset+4+str_len) >= packet->payload_packet_len)
     return(-1);
@@ -235,7 +243,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 				       u_int16_t p_offset, u_int16_t certificate_len) {
   struct ndpi_packet_struct *packet = &flow->packet;
   u_int num_found = 0, i;
-  char buffer[64] = { '\0' }, rdnSeqBuf[1024] = { '\0' };
+  char buffer[64] = { '\0' }, rdnSeqBuf[2048] = { '\0' };
   u_int rdn_len = 0;
 
 #ifdef DEBUG_TLS
author	Toni Uhlig <matzeton@googlemail.com>	2020-06-17 23:00:20 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2020-06-18 00:52:04 +0200
commit	23594f036536468072198a57c59b6e9d63caf6ce (patch)
tree	a8556c44e3cc128f19ecf66b40ab592c82e3b7d7 /src
parent	0ddc3a0052cfd3ad539ae0540aa4879bcae80ee5 (diff)