Merge pull request #846 from catenacyber/fuzzofix

Fix various buffer over reads

3 files changed, 8 insertions, 1 deletions

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index d1507f68f..af6811b25 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -3846,6 +3846,10 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
 	if(flow->http.url)                  { ndpi_free(flow->http.url); flow->http.url = NULL; }
 	if(flow->http.content_type)         { ndpi_free(flow->http.content_type); flow->http.content_type = NULL; }
 	if(flow->http.user_agent)           { ndpi_free(flow->http.user_agent); flow->http.user_agent = NULL; }
+	if(flow->kerberos_buf.pktbuf) {
+		ndpi_free(flow->kerberos_buf.pktbuf);
+		flow->kerberos_buf.pktbuf = NULL;
+	}
 	if(flow->l4.tcp.tls.message.buffer) {
 	    ndpi_free(flow->l4.tcp.tls.message.buffer);
 	    flow->l4.tcp.tls.message.buffer = NULL;
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 924e7eb86..2f8fd5612 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -168,6 +168,9 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
 	  } else
 	    x += data_len;
 
+	  if((x+2) >= flow->packet.payload_packet_len) {
+	    break;
+	  }
 	  rsp_type = get16(&x, flow->packet.payload);
 	  flow->protos.dns.rsp_type = rsp_type;
 
diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c
index a24b9441e..cba0c3bcc 100644
--- a/src/lib/protocols/oscar.c
+++ b/src/lib/protocols/oscar.c
@@ -137,7 +137,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct
 	 + TLVs         | [Class: FLAP__SIGNON_TAGS] TLVs   +
 	 +--------------------------------------------------+
       */
-      if(channel == SIGNON &&
+      if(channel == SIGNON && packet->payload_packet_len >= 10 &&
 	  get_u_int16_t(packet->payload, 4) == htons(packet->payload_packet_len - 6) &&
 	  get_u_int32_t(packet->payload, 6) == htonl(FLAPVERSION))
 	{