Fixes OOB reads in postgres

Reported by GHSL
author: Philippe Antoine <contact@catenacyber.fr> 2020-04-15 15:35:34 +0200
committer: Philippe Antoine <contact@catenacyber.fr> 2020-04-15 15:35:34 +0200
commit: 81e97d75153e38ce024a308b75d64edeb4b5e9bb (patch)
tree: 5994fa605de09b43b4f6a4034af2796a04e9a498 /src
parent: afdae85b30add25b93df65f1cade1d6c15f855f8 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/protocols/postgres.c b/src/lib/protocols/postgres.c
index b6fa74473..a51fabaab 100644
--- a/src/lib/protocols/postgres.c
+++ b/src/lib/protocols/postgres.c
@@ -97,7 +97,7 @@ void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct
 				return;
 			}
 			size = (u_int16_t)ntohl(get_u_int32_t(packet->payload, 1)) + 1;
-			if (packet->payload[size - 1] == 'S') {
+			if (size > 0 && size - 1 < packet->payload_packet_len && packet->payload[size - 1] == 'S') {
 				if ((size + get_u_int32_t(packet->payload, (size + 1))) == packet->payload_packet_len) {
 					NDPI_LOG_INFO(ndpi_struct, "found postgres asymmetrically\n");
 					ndpi_int_postgres_add_connection(ndpi_struct, flow);
@@ -105,7 +105,7 @@ void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct
 				}
 			}
 			size += get_u_int32_t(packet->payload, (size + 1)) + 1;
-			if (packet->payload[size - 1] == 'S') {
+			if (size > 0 && size - 1 < packet->payload_packet_len && packet->payload[size - 1] == 'S') {
 				NDPI_LOG_INFO(ndpi_struct, "found postgres asymmetrically\n");
 				ndpi_int_postgres_add_connection(ndpi_struct, flow);
 				return;
author	Philippe Antoine <contact@catenacyber.fr>	2020-04-15 15:35:34 +0200
committer	Philippe Antoine <contact@catenacyber.fr>	2020-04-15 15:35:34 +0200
commit	81e97d75153e38ce024a308b75d64edeb4b5e9bb (patch)
tree	5994fa605de09b43b4f6a4034af2796a04e9a498 /src
parent	afdae85b30add25b93df65f1cade1d6c15f855f8 (diff)