diff options
| author | Luca Deri <lucaderi@users.noreply.github.com> | 2020-03-20 18:02:27 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-03-20 18:02:27 +0100 |
| commit | a845e997209b987ef85a2562697d4d0522cb0c66 (patch) | |
| tree | 04a9b505c8af0b5f4d8c32a774edfaf9936fbd1c /src | |
| parent | 8cda02bb14bad44ae71317b322d895305245e713 (diff) | |
| parent | 3e259aac986bc86aa89adc2994811bb6f26a0649 (diff) | |
Merge pull request #859 from catenacyber/fuzzudpfix
Checks enough data for UDP header
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/protocols/dns.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/fix.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 8 | ||||
| -rw-r--r-- | src/lib/protocols/yahoo.c | 3 |
5 files changed, 12 insertions, 5 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 8290ca9dc..460117c96 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -141,7 +141,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */ x++; - if(flow->packet.payload[x] != '\0') { + if(x < flow->packet.payload_packet_len && flow->packet.payload[x] != '\0') { while((x < flow->packet.payload_packet_len) && (flow->packet.payload[x] != '\0')) { x++; diff --git a/src/lib/protocols/fix.c b/src/lib/protocols/fix.c index c1f4d2700..35cb1529b 100644 --- a/src/lib/protocols/fix.c +++ b/src/lib/protocols/fix.c @@ -33,7 +33,7 @@ void ndpi_search_fix(struct ndpi_detection_module_struct *ndpi_struct, struct nd struct ndpi_packet_struct *packet = &flow->packet; NDPI_LOG_DBG(ndpi_struct, "search FIX\n"); - if(packet->tcp) { + if(packet->tcp && packet->payload_packet_len > 5) { // 8= if(packet->payload[0] == 0x38 && packet->payload[1] == 0x3d) { // FIX. diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index f3b50b609..959b9c090 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -96,6 +96,8 @@ static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, char *buf, u_int8_t client_hash) { u_int16_t offset = 22, buf_out_len = 0; + if(offset+sizeof(u_int32_t) >= packet->payload_packet_len) + goto invalid_payload; u_int32_t len = ntohl(*(u_int32_t*)&packet->payload[offset]); offset += 4; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 8c351053a..d32584b05 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -735,7 +735,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t base_offset = packet->tcp ? 38 : 46; u_int16_t version_offset = packet->tcp ? 4 : 12; u_int16_t offset = 38, extension_len, j; - u_int8_t session_id_len = packet->tcp ? packet->payload[offset] : packet->payload[46]; + u_int8_t session_id_len = 0; + if (base_offset < total_len) + session_id_len = packet->payload[base_offset]; #ifdef DEBUG_TLS printf("SSL [len: %u][handshake_type: %02X]\n", packet->payload_packet_len, handshake_type); @@ -1134,10 +1136,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, version_str_len += rc; } } - } - if(flow->protos.stun_ssl.ssl.tls_supported_versions == NULL) flow->protos.stun_ssl.ssl.tls_supported_versions = ndpi_strdup(version_str); + } + } extension_offset += extension_len; diff --git a/src/lib/protocols/yahoo.c b/src/lib/protocols/yahoo.c index bd7f3ef66..d80e9caee 100644 --- a/src/lib/protocols/yahoo.c +++ b/src/lib/protocols/yahoo.c @@ -76,6 +76,9 @@ u_int8_t check_ymsg(const u_int8_t * payload, u_int16_t payload_packet_len) if(ylen >= payload_packet_len || yahoo_len_parsed >= payload_packet_len) break; + if (payload_packet_len < yahoo_len_parsed + sizeof(struct ndpi_yahoo_header)) { + return 0; + } yahoo = (struct ndpi_yahoo_header *) (payload + yahoo_len_parsed); } while(memcmp(yahoo->YMSG_str, "YMSG", 4) == 0); |