Fix out of bounds read in ndpi_match_custom_category

author: emanuele-f <black.silver@hotmail.it> 2019-10-04 11:31:40 +0200
committer: emanuele-f <black.silver@hotmail.it> 2019-10-04 11:54:05 +0200
commit: 76ec74cbf15be6729ee9da28e8be18a6919cbc18 (patch)
tree: a9be70ab9f324a030bdc936dfa94efdbb83470be /src
parent: 8ae5da14727aff7977846dbd5eeae99b65d93d32 (diff)
2 files changed, 34 insertions, 16 deletions
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index 194afa7d6..6bf2d5779 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -754,12 +754,12 @@ extern "C" {
 				 u_int32_t daddr,
 				 ndpi_protocol *ret);
   int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_struct,
-				 char *name, unsigned long *id);
+				 char *name, u_int name_len, unsigned long *id);
   void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
 				   struct ndpi_flow_struct *flow,
 				   ndpi_protocol *ret);
   int ndpi_get_custom_category_match(struct ndpi_detection_module_struct *ndpi_struct,
-				      char *name_or_ip, unsigned long *id);
+				      char *name_or_ip, u_int name_len, unsigned long *id);
   int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_mod,
 				     ndpi_detection_preference pref,
 				     int value);
@@ -782,11 +782,12 @@ extern "C" {
    *
    * @par     The automata initialized with ndpi_init_automa();
    * @par     The (sub)string to search
+   * @par     The (sub)string length
    * @par     The id associated with the matched string or 0 id not found.
    * @return  0 in case of match, or -1 if no match, or -2 if an error occurred.
    *
    */
-  int ndpi_match_string_id(void *_automa, char *string_to_match, unsigned long *id);
+  int ndpi_match_string_id(void *_automa, char *string_to_match, u_int match_len, unsigned long *id);
 
   /* Utility functions to set ndpi malloc/free/print wrappers */
   void set_ndpi_malloc(void* (*__ndpi_malloc)(size_t size));
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 4fb3b68cf..0fb53b327 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -2234,7 +2234,7 @@ int ndpi_match_string(void *_automa, char *string_to_match) {
 
 /* ****************************************************** */
 
-int ndpi_match_string_id(void *_automa, char *string_to_match, unsigned long *id) {
+int ndpi_match_string_id(void *_automa, char *string_to_match, u_int match_len, unsigned long *id) {
   AC_TEXT_t ac_input_text;
   AC_AUTOMATA_t *automa = (AC_AUTOMATA_t*)_automa;
   AC_REP_t match = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_UNRATED };
@@ -2246,7 +2246,7 @@ int ndpi_match_string_id(void *_automa, char *string_to_match, unsigned long *id
      || (string_to_match[0] == '\0'))
     return(-2);
 
-  ac_input_text.astring = string_to_match, ac_input_text.length = strlen(string_to_match);
+  ac_input_text.astring = string_to_match, ac_input_text.length = match_len;
   rc = ac_automata_search(automa, &ac_input_text, &match);
   ac_automata_reset(automa);
 
@@ -2283,7 +2283,7 @@ static int hyperscanCustomEventHandler(unsigned int id,
 /* *********************************************** */
 
 int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_str,
-			       char *name, unsigned long *id) {
+			       char *name, u_int name_len, unsigned long *id) {
 #ifdef HAVE_HYPERSCAN
     if(ndpi_str->custom_categories.hostnames == NULL)
       return(-1);
@@ -2293,7 +2293,7 @@ int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_str,
       *id = (unsigned long)-1;
 
       rc = hs_scan(ndpi_str->custom_categories.hostnames->database,
-		   name, strlen(name), 0,
+		   name, name_len, 0,
 		   ndpi_str->custom_categories.hostnames->scratch,
 		   hyperscanCustomEventHandler, id);
 
@@ -2306,21 +2306,27 @@ int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_str,
 	return(-1);
     }
 #else
-    return(ndpi_match_string_id(ndpi_str->custom_categories.hostnames.ac_automa, name, id));
+    return(ndpi_match_string_id(ndpi_str->custom_categories.hostnames.ac_automa, name, name_len, id));
 #endif
 }
 
 /* *********************************************** */
 
 int ndpi_get_custom_category_match(struct ndpi_detection_module_struct *ndpi_str,
-				   char *name_or_ip, unsigned long *id) {
+				   char *name_or_ip, u_int name_len, unsigned long *id) {
   char ipbuf[64], *ptr;
   struct in_addr pin;
+  u_int cp_len = ndpi_min(sizeof(ipbuf)-1, name_len);
 
   if(!ndpi_str->custom_categories.categories_loaded)
     return(-1);
 
-  snprintf(ipbuf, sizeof(ipbuf)-1, "%s", name_or_ip);
+  if(cp_len > 0) {
+    memcpy(ipbuf, name_or_ip, cp_len);
+    ipbuf[cp_len] = '\0';
+  } else
+    ipbuf[0] = '\0';
+
   ptr = strrchr(ipbuf, '/');
 
   if(ptr)
@@ -2343,7 +2349,7 @@ int ndpi_get_custom_category_match(struct ndpi_detection_module_struct *ndpi_str
     return(-1);
   } else
     /* Search Host */
-    return(ndpi_match_custom_category(ndpi_str, name_or_ip, id));
+    return(ndpi_match_custom_category(ndpi_str, name_or_ip, name_len, id));
 }
 
 /* *********************************************** */
@@ -4231,15 +4237,24 @@ void ndpi_load_ip_category(struct ndpi_detection_module_struct *ndpi_str,
   patricia_node_t *node;
   struct in_addr pin;
   int bits = 32;
-  char *ptr = strrchr(ip_address_and_mask, '/');
+  char *ptr;
+  char ipbuf[64];
+
+  strncpy(ipbuf, ip_address_and_mask, sizeof(ipbuf));
+  ipbuf[sizeof(ipbuf) - 1] = '\0';
+
+  ptr = strrchr(ipbuf, '/');
 
   if(ptr) {
-    ptr++;
+    *(ptr++) = '\0';
     if(atoi(ptr)>=0 && atoi(ptr)<=32)
       bits = atoi(ptr);
   }
 
-  inet_pton(AF_INET, ip_address_and_mask, &pin);
+  if(inet_pton(AF_INET, ipbuf, &pin) != 1) {
+    NDPI_LOG_DBG2(ndpi_str, "Invalid ip/ip+netmask: %s\n", ip_address_and_mask);
+    return;
+  }
 
   if((node = add_to_ptree(ndpi_str->custom_categories.ipAddresses_shadow,
 			  AF_INET, &pin, bits)) != NULL)
@@ -4457,7 +4472,8 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str,
 
     if(flow->host_server_name[0] != '\0') {
       unsigned long id;
-      int rc = ndpi_match_custom_category(ndpi_str, (char *)flow->host_server_name, &id);
+      int rc = ndpi_match_custom_category(ndpi_str, (char *)flow->host_server_name,
+					  strlen((char *)flow->host_server_name), &id);
 
       if(rc == 0) {
 	flow->category = ret->category = (ndpi_protocol_category_t)id;
@@ -4469,6 +4485,7 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str,
       unsigned long id;
       int rc = ndpi_match_custom_category(ndpi_str,
 					  (char *)flow->protos.stun_ssl.ssl.client_certificate,
+					  strlen(flow->protos.stun_ssl.ssl.client_certificate),
 					  &id);
 
       if(rc == 0) {
@@ -6118,7 +6135,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_
      && (ret_match->protocol_category == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)) {
     unsigned long id = ret_match->protocol_category;
     
-    if(ndpi_get_custom_category_match(ndpi_str, string_to_match, &id) != -1) {
+    if(ndpi_get_custom_category_match(ndpi_str, string_to_match, string_to_match_len, &id) != -1) {
       if(id != -1) {
 	flow->category = ret_match->protocol_category = id;
 	rc = master_protocol_id;
author	emanuele-f <black.silver@hotmail.it>	2019-10-04 11:31:40 +0200
committer	emanuele-f <black.silver@hotmail.it>	2019-10-04 11:54:05 +0200
commit	76ec74cbf15be6729ee9da28e8be18a6919cbc18 (patch)
tree	a9be70ab9f324a030bdc936dfa94efdbb83470be /src
parent	8ae5da14727aff7977846dbd5eeae99b65d93d32 (diff)