Fixed heap-overflow if compiled with `--enable-tls-sigs`.fix/tls-sig-heap-overflow

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2023-07-07 16:18:53 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2023-07-07 17:39:35 +0200
commit: c0ea02a6ffdecde662267b4178e6b60e73563ce1 (patch)
tree: eb244b631da9f86cf3b97ddd06c2bc9538a2c830 /src
parent: bdd295bc2c8ec51357b4b43db17b50844acce540 (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index e2c20ee03..709a77a96 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -2250,10 +2250,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		tot_signature_algorithms_len = ndpi_min((sizeof(ja3.client.signature_algorithms) / 2) - 1, tot_signature_algorithms_len);
 
 #ifdef TLS_HANDLE_SIGNATURE_ALGORITMS
-		flow->protos.tls_quic.num_tls_signature_algorithms = ndpi_min(tot_signature_algorithms_len / 2, MAX_NUM_TLS_SIGNATURE_ALGORITHMS);
+		size_t size = ndpi_min(tot_signature_algorithms_len / 2, MAX_NUM_TLS_SIGNATURE_ALGORITHMS);
 
-		memcpy(flow->protos.tls_quic.client_signature_algorithms,
-		       &packet->payload[s_offset], 2 /* 16 bit */*flow->protos.tls_quic.num_tls_signature_algorithms);
+		if (s_offset + 2 * size <= packet->payload_packet_len) {
+			flow->protos.tls_quic.num_tls_signature_algorithms = size;
+			memcpy(flow->protos.tls_quic.client_signature_algorithms,
+			       &packet->payload[s_offset], 2 /* 16 bit */ * size);
+		}
 #endif
 
 		for(i=0; i<tot_signature_algorithms_len && s_offset+i<total_len; i++) {
author	Toni Uhlig <matzeton@googlemail.com>	2023-07-07 16:18:53 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2023-07-07 17:39:35 +0200
commit	c0ea02a6ffdecde662267b4178e6b60e73563ce1 (patch)
tree	eb244b631da9f86cf3b97ddd06c2bc9538a2c830 /src
parent	bdd295bc2c8ec51357b4b43db17b50844acce540 (diff)