diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-01-05 16:41:53 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-05 16:41:53 +0100 |
| commit | 5a5e01a9e2b66e9238c40583baa70341e9ffc3a5 (patch) | |
| tree | 1cea1a26741e20be87380717a66df52ac827ea05 /src | |
| parent | 663df7e475f756d78f605bd31d260ffb64bc7f5c (diff) | |
PPSTREAM: fix some heap-buffer overflows (#1846)
Found by oss-fuzz
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54802
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/protocols/ppstream.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/lib/protocols/ppstream.c b/src/lib/protocols/ppstream.c index 6625a4bc5..891a4de1b 100644 --- a/src/lib/protocols/ppstream.c +++ b/src/lib/protocols/ppstream.c @@ -76,7 +76,7 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct } } /* check 44 */ - else if(packet->payload[2] == 0x44) { + else if(packet->payload[2] == 0x44 && packet->payload_packet_len > 20) { /** b1 71 **/ if(packet->payload[3] == 0xb1 && packet->payload[4] == 0x71) { if(packet->payload[13] == 0x00 && @@ -156,7 +156,8 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct } } /** check 55 (1) **/ - else if(packet->payload[2] == 0x55 && (packet->payload[13] == 0x1b && + else if(packet->payload_packet_len > 20 && + packet->payload[2] == 0x55 && (packet->payload[13] == 0x1b && packet->payload[14] == 0xa0 && packet->payload[15] == 0x00 && packet->payload[16] == 0x00 && @@ -172,7 +173,8 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct return; } /** check 55 (2) **/ - else if(packet->payload[2] == 0x55 && packet->payload[1] == 0x00 && + else if(packet->payload_packet_len > 20 && + packet->payload[2] == 0x55 && packet->payload[1] == 0x00 && (packet->payload[5] == 0x00 && packet->payload[6] == 0x00 && packet->payload[7] == 0x00 && |