From 3eb9907dd7bfd21be4980632761852eaee5aec81 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 18 Feb 2020 11:50:22 +0100
Subject: Fix various buffer over reads

---
 example/reader_util.c     | 7 +++++--
 src/lib/protocols/dns.c   | 3 +++
 src/lib/protocols/oscar.c | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/example/reader_util.c b/example/reader_util.c
index ec070afb3..7ab060ef5 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1476,10 +1476,11 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
   datalink_type = (int)pcap_datalink(workflow->pcap_handle);
 #endif
 
-  if(header->caplen < 40)
-    return(nproto); /* Too short */
 
  datalink_check:
+  if(header->caplen < eth_offset + 40)
+    return(nproto); /* Too short */
+
   switch(datalink_type) {
   case DLT_NULL:
     if(ntohl(*((u_int32_t*)&packet[eth_offset])) == 2)
@@ -1680,6 +1681,8 @@ ether_type_check:
       return(nproto);
     }
   } else if(iph->version == 6) {
+    if (header->caplen < ip_offset + sizeof(struct ndpi_ipv6hdr))
+      return(nproto); /* Too short for IPv6 header*/
     iph6 = (struct ndpi_ipv6hdr *)&packet[ip_offset];
     proto = iph6->ip6_hdr.ip6_un1_nxt;
     ip_len = sizeof(struct ndpi_ipv6hdr);
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 924e7eb86..2f8fd5612 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -168,6 +168,9 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
 	  } else
 	    x += data_len;
 
+	  if((x+2) >= flow->packet.payload_packet_len) {
+	    break;
+	  }
 	  rsp_type = get16(&x, flow->packet.payload);
 	  flow->protos.dns.rsp_type = rsp_type;
 
diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c
index a24b9441e..cba0c3bcc 100644
--- a/src/lib/protocols/oscar.c
+++ b/src/lib/protocols/oscar.c
@@ -137,7 +137,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct
 	 + TLVs         | [Class: FLAP__SIGNON_TAGS] TLVs   +
 	 +--------------------------------------------------+
       */
-      if(channel == SIGNON &&
+      if(channel == SIGNON && packet->payload_packet_len >= 10 &&
 	  get_u_int16_t(packet->payload, 4) == htons(packet->payload_packet_len - 6) &&
 	  get_u_int32_t(packet->payload, 6) == htonl(FLAPVERSION))
 	{
-- 
cgit v1.2.3


From ee979ac14ab8ff477ac9b331f60fd686d21bb548 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 18 Feb 2020 13:32:20 +0100
Subject: Fix kerberos leak

---
 src/lib/ndpi_main.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 8d80e25d8..707efbff4 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -3846,6 +3846,10 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
 	if(flow->http.url)                  { ndpi_free(flow->http.url); flow->http.url = NULL; }
 	if(flow->http.content_type)         { ndpi_free(flow->http.content_type); flow->http.content_type = NULL; }
 	if(flow->http.user_agent)           { ndpi_free(flow->http.user_agent); flow->http.user_agent = NULL; }
+	if(flow->kerberos_buf.pktbuf) {
+		ndpi_free(flow->kerberos_buf.pktbuf);
+		flow->kerberos_buf.pktbuf = NULL;
+	}
 	if(flow->l4.tcp.tls.message.buffer) {
 	    ndpi_free(flow->l4.tcp.tls.message.buffer);
 	    flow->l4.tcp.tls.message.buffer = NULL;
-- 
cgit v1.2.3