From 4976d93d4e7ce5e63cb562fb7f0f916c3103e2de Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 12 Mar 2020 14:03:31 +0100
Subject: Fix buffer overread in ndpi_search_setup_capwap

---
 src/lib/protocols/capwap.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/lib/protocols/capwap.c b/src/lib/protocols/capwap.c
index bfad1a593..33b20fcab 100644
--- a/src/lib/protocols/capwap.c
+++ b/src/lib/protocols/capwap.c
@@ -66,10 +66,12 @@ static void ndpi_search_setup_capwap(struct ndpi_detection_module_struct *ndpi_s
     else
       offset = 15, to_add = 17;
 
-    msg_len = ntohs(*(u_int16_t*)&packet->payload[offset]);
+    if (packet->payload_packet_len >= offset + sizeof(u_int16_t)) {
+      msg_len = ntohs(*(u_int16_t*)&packet->payload[offset]);
 
-    if((msg_len+to_add) == packet->payload_packet_len)
-      goto capwap_found;
+      if((msg_len+to_add) == packet->payload_packet_len)
+        goto capwap_found;
+    }
   }
   
   if(
-- 
cgit v1.2.3