diff options
| author | Luca Deri <deri@ntop.org> | 2019-05-03 18:08:12 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2019-05-03 18:08:12 +0200 |
| commit | e99a0abfba3dff52a00935bed6e08051e2fa4b61 (patch) | |
| tree | fcc6abcd922cda1b7446f046e38c783878d3174b /src | |
| parent | 361ab030bc59d00cc55ed12b15340ac50473e8cb (diff) | |
Hardening fixes for packer parsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/ndpi_main.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/mail_smtp.c | 7 |
2 files changed, 7 insertions, 3 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index a7971837e..4c60ce969 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -5036,7 +5036,8 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc packet->line[packet->parsed_lines].ptr = packet->payload; packet->line[packet->parsed_lines].len = 0; - for(a = 0; a < packet->payload_packet_len; a++) { + for(a = 0; (a < packet->payload_packet_len) + && (packet->parsed_lines < NDPI_MAX_PARSE_LINES_PER_PACKET); a++) { if((a + 1) == packet->payload_packet_len) return; /* Return if only one byte remains (prevent invalid reads past end-of-buffer) */ diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index f7fbd337c..fdc47d15c 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -58,13 +58,16 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct NDPI_LOG_DBG(ndpi_struct, "search mail_smtp\n"); - if (packet->payload_packet_len > 2 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) { + if((packet->payload_packet_len > 2) + && (packet->parsed_lines < NDPI_MAX_PARSE_LINES_PER_PACKET) + && (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) + ) { u_int8_t a; u_int8_t bit_count = 0; NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow,packet); - for (a = 0; a < packet->parsed_lines; a++) { + for (a = 0; a < packet->parsed_lines; a++) { // expected server responses if (packet->line[a].len >= 3) { if (memcmp(packet->line[a].ptr, "220", 3) == 0) { |