From 333a6d60e8ab9c9cd5479a058f8b0c482c5cd2d9 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Fri, 22 Oct 2021 14:57:49 +0200
Subject: TLS: fix a heap-buffer-overflow (#1356)

Revert of c3d1c697
Error reproducible with the attached pcap and valgrind
---
 src/lib/protocols/tls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index bfff42033..d5fa5db1b 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1533,10 +1533,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
       printf("Client TLS [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version);
 #endif
 
-      if((cipher_offset+cipher_len) <= total_len) {
+      if((cipher_offset+cipher_len) <= total_len - 1) { /* -1 because variable "id" is a u_int16_t */
 	u_int8_t safari_ciphers = 0, chrome_ciphers = 0, this_is_not_safari = 0, looks_like_safari_on_big_sur = 0;
 
-	for(i=0; i<cipher_len-1;) {
+	for(i=0; i<cipher_len;) {
 	  u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i];
 	  u_int16_t cipher_id = ntohs(*id);
 
-- 
cgit v1.2.3