From de25ba7d0b690c77ac5aa9ffba6ab107c033759f Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Mon, 6 Jul 2020 23:30:40 +0200
Subject: Fixed heap overflow caused by missing lengthcheck in reader uutil.

 * triggered by fuzz traces from wireshark

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
---
 example/reader_util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'example')

diff --git a/example/reader_util.c b/example/reader_util.c
index 508777ec2..94d5188ad 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1719,7 +1719,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
     workflow->stats.mpls_count++;
     type = ETH_P_IP, ip_offset += 4;
 
-    while(!mpls.mpls.s) {
+    while(!mpls.mpls.s && (((bpf_u_int32)ip_offset) + 4 < header->caplen)) {
       mpls.u32 = *((uint32_t *) &packet[ip_offset]);
       mpls.u32 = ntohl(mpls.u32);
       ip_offset += 4;
-- 
cgit v1.2.3