From 3c05d4551dfb1181770416c4301a4f92415e41af Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 12 Mar 2020 14:05:48 +0100
Subject: Fix snprintf return value check for tls

---
 src/lib/protocols/tls.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'src/lib/protocols/tls.c')

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 970f114cc..3ec67f57f 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -825,7 +825,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
       }
 
       rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
-      if(rc > 0) ja3_str_len += rc;
+      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
 
       /* ********** */
 
@@ -1155,38 +1155,38 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	      for(i=0; i<ja3.num_cipher; i++) {
 		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
 			      (i > 0) ? "-" : "", ja3.cipher[i]);
-		if(rc > 0) ja3_str_len += rc; else break;
+		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
 	      }
 
 	      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
-	      if(rc > 0) ja3_str_len += rc;
+	      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
 
 	      /* ********** */
 
 	      for(i=0; i<ja3.num_tls_extension; i++) {
 		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
 			      (i > 0) ? "-" : "", ja3.tls_extension[i]);
-		if(rc > 0) ja3_str_len += rc; else break;
+		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
 	      }
 
 	      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
-	      if(rc > 0) ja3_str_len += rc;
+	      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
 
 	      /* ********** */
 
 	      for(i=0; i<ja3.num_elliptic_curve; i++) {
 		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
 			      (i > 0) ? "-" : "", ja3.elliptic_curve[i]);
-		if(rc > 0) ja3_str_len += rc; else break;
+		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
 	      }
 
 	      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
-	      if(rc > 0) ja3_str_len += rc;
+	      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
 
 	      for(i=0; i<ja3.num_elliptic_curve_point_format; i++) {
 		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
 			      (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]);
-		if(rc > 0) ja3_str_len += rc; else break;
+		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
 	      }
 
 #ifdef DEBUG_TLS
-- 
cgit v1.2.3


From 7806eb5f5b02fd78de1db20caeebc56088ebec3e Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 12 Mar 2020 14:31:47 +0100
Subject: Fix infinite loop in tls

---
 src/lib/protocols/tls.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/lib/protocols/tls.c')

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 3ec67f57f..8c351053a 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1113,7 +1113,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 		  s_offset++;
 		  
-		  for(j=0; j<version_len; j += 2) {
+		  // careful not to overflow and loop forever with u_int8_t
+		  for(j=0; j+1<version_len; j += 2) {
 		    u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[s_offset+j]));
 		    u_int8_t unknown_tls_version;
 		    
-- 
cgit v1.2.3