From b0bf66c436b829155662c27f59ab09dc6e9e7f3d Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Sun, 31 May 2020 08:30:55 +0200
Subject: Added offset check in kerberos dissector

---
 src/lib/protocols/kerberos.c | 34 +++++++++++++++++++++-------------
 1 file changed, 21 insertions(+), 13 deletions(-)

(limited to 'src/lib/protocols')

diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c
index ff16545f5..98aa91a51 100644
--- a/src/lib/protocols/kerberos.c
+++ b/src/lib/protocols/kerberos.c
@@ -256,30 +256,38 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
 		    } else
 		      snprintf(flow->protos.kerberos.username, sizeof(flow->protos.kerberos.username), "%s", cname_str);
 
-		    for(i=0; i<14; i++) if(packet->payload[realm_offset] != 0x1b) realm_offset++; /* ASN.1 */
+		    for(i=0; (i < 14) && (realm_offset <  packet->payload_packet_len); i++) {
+		      if(packet->payload[realm_offset] != 0x1b)
+			realm_offset++; /* ASN.1 */
+		    }
+		    
 #ifdef KERBEROS_DEBUG
-		    printf("realm_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", realm_offset, packet->payload[realm_offset], packet->payload[realm_offset+1]);
+		    printf("realm_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", realm_offset,
+			   packet->payload[realm_offset], packet->payload[realm_offset+1]);
 #endif
+		    
 		    realm_offset += 1;
 		    //if(num_cname == 2) realm_offset++;
-		    realm_len = packet->payload[realm_offset];
+		    if(realm_offset  < packet->payload_packet_len) {
+		      realm_len = packet->payload[realm_offset];
 
-		    if((realm_offset+realm_len) < packet->payload_packet_len) {
-		      char realm_str[48];
+		      if((realm_offset+realm_len) < packet->payload_packet_len) {
+			char realm_str[48];
 
-		      if(realm_len > sizeof(realm_str)-1)
-			realm_len = sizeof(realm_str)-1;
+			if(realm_len > sizeof(realm_str)-1)
+			  realm_len = sizeof(realm_str)-1;
 
-		      realm_offset += 1;
+			realm_offset += 1;
 
-		      strncpy(realm_str, (char*)&packet->payload[realm_offset], realm_len);
-		      realm_str[realm_len] = '\0';
-		      for(i=0; i<realm_len; i++) realm_str[i] = tolower(realm_str[i]);
+			strncpy(realm_str, (char*)&packet->payload[realm_offset], realm_len);
+			realm_str[realm_len] = '\0';
+			for(i=0; i<realm_len; i++) realm_str[i] = tolower(realm_str[i]);
 
 #ifdef KERBEROS_DEBUG
-		      printf("[AS-REQ][Kerberos Realm][len: %u][%s]\n", realm_len, realm_str);
+			printf("[AS-REQ][Kerberos Realm][len: %u][%s]\n", realm_len, realm_str);
 #endif
-		      snprintf(flow->protos.kerberos.domain, sizeof(flow->protos.kerberos.domain), "%s", realm_str);
+			snprintf(flow->protos.kerberos.domain, sizeof(flow->protos.kerberos.domain), "%s", realm_str);
+		      }
 		    }
 		  }
 		}
-- 
cgit v1.2.3