diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-07-12 18:39:05 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-07-12 18:39:05 +0200 |
| commit | 407155755da29734e9b8a8e7a6960c568b1d3188 (patch) | |
| tree | 9f54b2b2a387f06d6a02207d98c186b5f068b017 /src | |
| parent | 9c235796af60977ba316c612d4a02014896127f8 (diff) | |
ASN1/BER: fix signed integer overflow (#1660)
```
protocols/snmp_proto.c:77:23: runtime error: signed integer overflow: 6 + 2147483647 cannot be represented in type 'int'
#0 0x52f69e in ndpi_search_snmp ndpi/src/lib/protocols/snmp_proto.c:77:23
#1 0x4c5347 in check_ndpi_detection_func ndpi/src/lib/ndpi_main.c:5211:4
#2 0x4c5591 in ndpi_check_flow_func ndpi/src/lib/ndpi_main.c:0
#3 0x4c8903 in ndpi_detection_process_packet ndpi/src/lib/ndpi_main.c:6145:15
#4 0x4b3712 in LLVMFuzzerTestOneInput ndpi/fuzz/fuzz_process_packet.c:29:5
[...]
```
Found by oss-fuzzer.
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49057
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_main.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/kerberos.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/ldap.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/snmp_proto.c | 2 |
5 files changed, 5 insertions, 5 deletions
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index 0069d987a..071097d99 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -165,7 +165,7 @@ extern "C" { char *ndpi_hostname_sni_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len); char *ndpi_user_agent_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len); - int ndpi_asn1_ber_decode_length(const unsigned char *payload, int payload_len, u_int16_t *value_len); + int64_t ndpi_asn1_ber_decode_length(const unsigned char *payload, int payload_len, u_int16_t *value_len); #ifdef __cplusplus } diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index ce1911743..f7c5a110b 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2707,7 +2707,7 @@ u_int8_t ndpi_check_flow_risk_exceptions(struct ndpi_detection_module_struct *nd /* ******************************************* */ -int ndpi_asn1_ber_decode_length(const unsigned char *payload, int payload_len, u_int16_t *value_len) +int64_t ndpi_asn1_ber_decode_length(const unsigned char *payload, int payload_len, u_int16_t *value_len) { unsigned int value, i; diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index ab2a58e14..92ee7defe 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -41,7 +41,7 @@ static int krb_decode_asn1_length(struct ndpi_detection_module_struct *ndpi_stru size_t * const kasn1_offset) { struct ndpi_packet_struct * const packet = &ndpi_struct->packet; - int length; + int64_t length; u_int16_t value_len; length = ndpi_asn1_ber_decode_length(&packet->payload[*kasn1_offset], diff --git a/src/lib/protocols/ldap.c b/src/lib/protocols/ldap.c index 70c9c072f..35ea2e199 100644 --- a/src/lib/protocols/ldap.c +++ b/src/lib/protocols/ldap.c @@ -38,7 +38,7 @@ static void ndpi_int_ldap_add_connection(struct ndpi_detection_module_struct *nd void ndpi_search_ldap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - int length; + int64_t length; u_int16_t length_len = 0, msg_id_len; u_int8_t op; diff --git a/src/lib/protocols/snmp_proto.c b/src/lib/protocols/snmp_proto.c index 5f0e67277..21ae03fba 100644 --- a/src/lib/protocols/snmp_proto.c +++ b/src/lib/protocols/snmp_proto.c @@ -69,7 +69,7 @@ void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, if(packet->payload_packet_len > 16 && packet->payload[0] == 0x30) { u_int16_t len_length = 0, offset; - int len; + int64_t len; len = ndpi_asn1_ber_decode_length(&packet->payload[1], packet->payload_packet_len - 1, &len_length); |