From 13212711ab85bb9e5b3dfdb51b8a0ba0b6b3fa32 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Thu, 1 Feb 2024 20:30:43 +0100
Subject: CIP: fix infinite-loop (#2295)

Found by oss-fuzzer
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66342
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66320
---
 src/lib/protocols/cip.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/protocols/cip.c b/src/lib/protocols/cip.c
index 65dbb9a24..f9412b809 100644
--- a/src/lib/protocols/cip.c
+++ b/src/lib/protocols/cip.c
@@ -43,11 +43,12 @@ static void ndpi_search_cip(struct ndpi_detection_module_struct *ndpi_struct,
      ) {
     u_int8_t num_items = packet->payload[0], offset = 2;
 
-    while((num_items > 0) && (packet->payload_packet_len > (offset + 4))) {
+    while((num_items > 0) && (packet->payload_packet_len > ((u_int32_t)offset + 4))) {
       // u_int16_t type_id = *((u_int16_t*)&packet->payload[offset]);
       u_int16_t lenght = (packet->payload[offset+3] << 8) + packet->payload[offset+2];
 
       offset += 4 + lenght;
+      num_items--;
     }
 
     if(offset == packet->payload_packet_len) {
-- 
cgit v1.2.3