From f95bdaf625a540cbd040508bfbb8808223f97aed Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Thu, 19 Jan 2023 14:12:51 +0100
Subject: Bittorrent: fix heap-buffer-overflow (#1863)

```
==258287==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600068ff9d at pc 0x5653a6e35def bp 0x7ffeef5aa620 sp 0x7ffeef5a9dc8
READ of size 22 at 0x60600068ff9d thread T0
    #0 0x5653a6e35dee in strncmp (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader+0x4d2dee) (BuildId: 133b8c3c8ff99408109fcb9be2538bb8341f07f7)
    #1 0x5653a70d6624 in ndpi_search_bittorrent /home/ivan/svnrepos/nDPI/src/lib/protocols/bittorrent.c:500:71
    #2 0x5653a6ff255a in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5686:6
    #3 0x5653a6ff331b in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5722:10
    #4 0x5653a6ff2cbc in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5755:12
    #5 0x5653a70016bf in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6578:15
    #6 0x5653a6f1836d in packet_processing /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:1678:31
    #7 0x5653a6f140a1 in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:2256:10
```
Found by oss-fuzz
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55218
Fix: 470eaa6f
---
 src/lib/protocols/bittorrent.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c
index 852b7cbac..64e46a4ed 100644
--- a/src/lib/protocols/bittorrent.c
+++ b/src/lib/protocols/bittorrent.c
@@ -494,14 +494,13 @@ static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_str
 	wireshark/epan/dissectors/packet-bt-utp.c
       */
 
-      if(packet->payload_packet_len >= 20 /* min header size */) {
 	if(
-	   (strncmp((const char*)packet->payload, bt_search, strlen(bt_search)) == 0)
-	   || (strncmp((const char*)packet->payload, bt_search1, strlen(bt_search1)) == 0)
+	   (packet->payload_packet_len > 22 && strncmp((const char*)packet->payload, bt_search, strlen(bt_search)) == 0) ||
+	   (packet->payload_packet_len > 12 && strncmp((const char*)packet->payload, bt_search1, strlen(bt_search1)) == 0)
 	   ) {
 	  ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI);
 	  return;
-	} else {
+	} else if(packet->payload_packet_len >= 20) {
 	  /* Check if this is protocol v0 */
 	  u_int8_t v0_extension = packet->payload[17];
 	  u_int8_t v0_flags     = packet->payload[18];
@@ -534,7 +533,6 @@ static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_str
 	  }
 
 	}
-      }
 
       flow->bittorrent_stage++;
 
-- 
cgit v1.2.3