From da0889d3ba9c83bf65c8a5656c31ab54f6252329 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 17 Apr 2020 22:21:03 +0200 Subject: Adds bound check before calling ndpi_handle_ipv6_extension_headers --- example/reader_util.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'example/reader_util.c') diff --git a/example/reader_util.c b/example/reader_util.c index 94aafca2f..1c20bbf4c 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1700,6 +1700,9 @@ ether_type_check: iph6 = (struct ndpi_ipv6hdr *)&packet[ip_offset]; proto = iph6->ip6_hdr.ip6_un1_nxt; ip_len = ntohs(iph6->ip6_hdr.ip6_un1_plen); + if (header->caplen < ip_offset + sizeof(struct ndpi_ipv6hdr + ntohs(iph_v6->ip6_hdr.ip6_un1_plen)) + return(nproto); /* Too short for IPv6 payload*/ + const u_int8_t *l4ptr = (((const u_int8_t *) iph6) + sizeof(struct ndpi_ipv6hdr)); if(ndpi_handle_ipv6_extension_headers(NULL, &l4ptr, &ip_len, &proto) != 0) { -- cgit v1.2.3 From c2b2692e65fbb43e6847ab641f4d676493be76ac Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Sat, 18 Apr 2020 14:39:57 +0200 Subject: Seeting right flow protocol after IP6 extensions Finally fixing https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20727 --- example/reader_util.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'example/reader_util.c') diff --git a/example/reader_util.c b/example/reader_util.c index 1c20bbf4c..dadffb8cd 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -939,12 +939,6 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo iph.daddr = iph6->ip6_dst.u6_addr.u6_addr32[2] + iph6->ip6_dst.u6_addr.u6_addr32[3]; iph.protocol = iph6->ip6_hdr.ip6_un1_nxt; - if(iph.protocol == IPPROTO_DSTOPTS /* IPv6 destination option */) { - const u_int8_t *options = (const u_int8_t*)iph6 + sizeof(const struct ndpi_ipv6hdr); - - iph.protocol = options[0]; - } - return(get_ndpi_flow_info(workflow, 6, vlan_id, tunnel_type, &iph, iph6, ip_offset, ipsize, ntohs(iph6->ip6_hdr.ip6_un1_plen), @@ -1708,6 +1702,7 @@ ether_type_check: if(ndpi_handle_ipv6_extension_headers(NULL, &l4ptr, &ip_len, &proto) != 0) { return(nproto); } + iph6->ip6_hdr.ip6_un1_nxt = proto; iph = NULL; } else { -- cgit v1.2.3