From 5267858b3d09fbc6a70c4bdcabdd176ea26ee72c Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Sat, 15 Jul 2023 22:23:52 +0200
Subject: HTTP: fix another memory access error (#2049)

```
=================================================================
==199079==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x559a2a6efd4f in strncpy (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader+0x94ad4f) (BuildId: 34aaabba403c6bc5482553ef355360fd2762a157)
    #1 0x559a2a9890f0 in ndpi_http_check_content /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:300:8
    #2 0x559a2a9812c0 in check_content_type_and_change_protocol /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:910:46
    #3 0x559a2a978fee in process_response /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1289:3
    #4 0x559a2a97622f in ndpi_check_http_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1382:9
    #5 0x559a2a975d95 in ndpi_search_http_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1468:3
    #6 0x559a2a864970 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5948:4
    #7 0x559a2a8660df in check_ndpi_tcp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6013:12
    #8 0x559a2a865d7f in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6032:12
    #9 0x559a2a876fd6 in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7038:15
    #10 0x559a2a87311f in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7205:22
    #11 0x559a2a77381e in packet_processing /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:1710:31
    #12 0x559a2a77381e in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:2427:10
[...]
```

Found by oss-fuzz
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60605
---
 src/lib/protocols/http.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'src/lib/protocols/http.c')

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 6951dd85c..271409057 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -295,10 +295,12 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 	if(packet->content_disposition_line.ptr[attachment_len] == '\"') {
 	  if(packet->content_disposition_line.ptr[packet->content_disposition_line.len-1] != '\"') {
 	    //case: filename="file_name
-	    flow->http.filename = ndpi_malloc(filename_len);
-	    if(flow->http.filename != NULL) {
-	      strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-1);
-	      flow->http.filename[filename_len-1] = '\0';
+	    if(filename_len >= 2) {
+	      flow->http.filename = ndpi_malloc(filename_len);
+	      if(flow->http.filename != NULL) {
+	        strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-1);
+	        flow->http.filename[filename_len-1] = '\0';
+	      }
 	    }
 	  }
 	  else if(filename_len >= 2) {
-- 
cgit v1.2.3