From 2c1b7cf1bd8954bc236c2bacc2604d7238444cbf Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Tue, 29 Sep 2020 17:59:03 +0200 Subject: QUIC: fix dissection of "offset" field (#1025) The "offset" field is a variable-length integer. This bug hasn't any practical effects right now, since we are ignoring any packet with "offset" != 0 (and the value 0 is always encoded in only one byte). But extracting a correct "offset" is important if we are ever going to handle fragmented Client Hello messages. --- src/lib/protocols/quic.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 70187bd5e..924b90b8a 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -31,6 +31,7 @@ #endif // #define DEBUG_CRYPT +// #define QUIC_DEBUG /* This dissector handles GQUIC and IETF-QUIC both. Main references: @@ -898,7 +899,7 @@ static const uint8_t *get_crypto_data(struct ndpi_detection_module_struct *ndpi_ const u_int8_t *crypto_data; uint32_t counter; uint8_t first_nonzero_payload_byte, offset_len; - uint64_t unused; + uint64_t unused, offset; counter = 0; while(counter < clear_payload_len && clear_payload[counter] == 0) @@ -972,16 +973,17 @@ static const uint8_t *get_crypto_data(struct ndpi_detection_module_struct *ndpi_ } return NULL; } - if(counter + 2 + 8 >= clear_payload_len) /* quic_len reads 8 bytes, at most */ + counter += 1; + if(counter + 8 + 8 >= clear_payload_len) /* quic_len reads 8 bytes, at most */ return NULL; - if(clear_payload[counter + 1] != 0x00) { + counter += quic_len(&clear_payload[counter], &offset); + if(offset != 0) { #ifdef QUIC_DEBUG NDPI_LOG_ERR(ndpi_struct, "Unexpected crypto stream offset 0x%x\n", - clear_payload[counter + 1]); + offset); #endif return NULL; } - counter += 2; counter += quic_len(&clear_payload[counter], crypto_data_len); crypto_data = &clear_payload[counter]; } -- cgit v1.2.3