From 5f99433ee75cd6acc4e73fd9de132b138be12a50 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 22 Sep 2020 08:56:35 +0200 Subject: Minor UA handling improvement to avoid heap-overflow --- src/lib/protocols/http.c | 2 +- src/lib/protocols/quic.c | 20 ++++++++++++-------- 2 files changed, 13 insertions(+), 9 deletions(-) (limited to 'src/lib') diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 983a53b1c..2cc42edad 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -347,7 +347,7 @@ int http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct, flow->http.user_agent = ndpi_malloc(len); if(flow->http.user_agent) { - strncpy(flow->http.user_agent, (char*)ua_ptr, ua_ptr_len); + memcpy(flow->http.user_agent, (char*)ua_ptr, ua_ptr_len); flow->http.user_agent[ua_ptr_len] = '\0'; ndpi_check_user_agent(ndpi_struct, flow, flow->http.user_agent); diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 5585fe3dc..70187bd5e 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1128,15 +1128,19 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, if (ua_found) return; } - if((memcmp(tag, "UAID", 4) == 0) && - (tag_offset_start + prev_offset + len < crypto_data_len)) { - NDPI_LOG_DBG2(ndpi_struct, "UA: [%.*s]\n", len, &crypto_data[tag_offset_start + prev_offset]); - http_process_user_agent(ndpi_struct, flow, - &crypto_data[tag_offset_start + prev_offset], len); - ua_found = 1; - if (sni_found) - return; + if(memcmp(tag, "UAID", 4) == 0) { + u_int uaid_offset = tag_offset_start + prev_offset; + + if((uaid_offset + len) < crypto_data_len) { + NDPI_LOG_DBG2(ndpi_struct, "UA: [%.*s]\n", len, &crypto_data[uaid_offset]); + + http_process_user_agent(ndpi_struct, flow, &crypto_data[uaid_offset], len); /* http.c */ + ua_found = 1; + + if (sni_found) + return; + } } prev_offset = offset; -- cgit v1.2.3