Fix various buffer over reads

author: Philippe Antoine <contact@catenacyber.fr> 2020-02-18 11:50:22 +0100
committer: Philippe Antoine <contact@catenacyber.fr> 2020-02-18 11:50:22 +0100
commit: 3eb9907dd7bfd21be4980632761852eaee5aec81 (patch)
tree: a2fc0b40d1fa1a67bdfabf2888c5d35b2036ea40 /src
parent: fdf8dd724fc86c4d38daa66b62021ae2d34f1432 (diff)
2 files changed, 4 insertions, 1 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 924e7eb86..2f8fd5612 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -168,6 +168,9 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
 	  } else
 	    x += data_len;
 
+	  if((x+2) >= flow->packet.payload_packet_len) {
+	    break;
+	  }
 	  rsp_type = get16(&x, flow->packet.payload);
 	  flow->protos.dns.rsp_type = rsp_type;
 
diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c
index a24b9441e..cba0c3bcc 100644
--- a/src/lib/protocols/oscar.c
+++ b/src/lib/protocols/oscar.c
@@ -137,7 +137,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct
 	 + TLVs         | [Class: FLAP__SIGNON_TAGS] TLVs   +
 	 +--------------------------------------------------+
       */
-      if(channel == SIGNON &&
+      if(channel == SIGNON && packet->payload_packet_len >= 10 &&
 	  get_u_int16_t(packet->payload, 4) == htons(packet->payload_packet_len - 6) &&
 	  get_u_int32_t(packet->payload, 6) == htonl(FLAPVERSION))
 	{
author	Philippe Antoine <contact@catenacyber.fr>	2020-02-18 11:50:22 +0100
committer	Philippe Antoine <contact@catenacyber.fr>	2020-02-18 11:50:22 +0100
commit	3eb9907dd7bfd21be4980632761852eaee5aec81 (patch)
tree	a2fc0b40d1fa1a67bdfabf2888c5d35b2036ea40 /src
parent	fdf8dd724fc86c4d38daa66b62021ae2d34f1432 (diff)