Merge pull request #234 from theirix/fix-overflows

Fixed payload overflow in MQTT, DNS

2 files changed, 3 insertions, 3 deletions

diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 7ee114579..5358cc8b7 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -80,7 +80,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
   }
 
   if((s_port == 53 || d_port == 53 || d_port == 5355)
-     && (flow->packet.payload_packet_len > sizeof(struct ndpi_dns_packet_header))) {
+     && (flow->packet.payload_packet_len > sizeof(struct ndpi_dns_packet_header)+x)) {
     struct ndpi_dns_packet_header dns_header;
     int invalid = 0;
 
@@ -185,7 +185,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
       /* extract host name server */
       int j = 0, max_len = sizeof(flow->host_server_name)-1, off = sizeof(struct ndpi_dns_packet_header) + 1;
 
-      while(flow->packet.payload[off] != '\0' && off < flow->packet.payload_packet_len) {
+      while(off < flow->packet.payload_packet_len && flow->packet.payload[off] != '\0') {
 	flow->host_server_name[j] = flow->packet.payload[off];
 	if(j < max_len) {
 	  if(flow->host_server_name[j] < ' ')
diff --git a/src/lib/protocols/mqtt.c b/src/lib/protocols/mqtt.c
index 024fad8a7..37c469066 100644
--- a/src/lib/protocols/mqtt.c
+++ b/src/lib/protocols/mqtt.c
@@ -144,7 +144,7 @@ void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct,
 	NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> Passed second stage of identification\n");
 	// third stage verification (payload)
 	if (pt == CONNECT) {
-		if (memcmp(&(packet->payload[4]),"MQTT",4) == 0) {
+		if (packet->payload_packet_len >= 8 && memcmp(&(packet->payload[4]),"MQTT",4) == 0) {
 			NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Mqtt found CONNECT\n");
 			ndpi_int_mqtt_add_connection(ndpi_struct,flow);
 			return;