Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added check for heap buffer overflow read
  • Loading branch information
lucaderi committed May 29, 2020
1 parent 4ceff1d commit 61066fb
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion src/lib/ndpi_main.c
Expand Up @@ -4807,29 +4807,34 @@ u_int32_t ndpi_bytestream_to_ipv4(const u_int8_t *str, u_int16_t max_chars_to_re
u_int16_t read = 0;
u_int16_t oldread;
u_int32_t c;

/* ip address must be X.X.X.X with each X between 0 and 255 */
oldread = read;
c = ndpi_bytestream_to_number(str, max_chars_to_read, &read);
if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.')
return(0);

read++;
val = c << 24;
oldread = read;
c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read);
if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.')
return(0);

read++;
val = val + (c << 16);
oldread = read;
c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read);
if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.')
return(0);

read++;
val = val + (c << 8);
oldread = read;
c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read);
if(c > 255 || oldread == read || max_chars_to_read == read)
return(0);

val = val + c;

*bytes_read = *bytes_read + read;
Expand Down Expand Up @@ -4869,9 +4874,10 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str,
int diff; /* No unsigned ! */
u_int32_t a1 = a + 4;

diff = ndpi_min(packet->payload_packet_len-a1, sizeof(flow->initial_binary_bytes));
diff = packet->payload_packet_len - a1;

if(diff > 0) {
diff = ndpi_min(diff, sizeof(flow->initial_binary_bytes));
memcpy(&flow->initial_binary_bytes, &packet->payload[a1], diff);
flow->initial_binary_bytes_len = diff;
}
Expand Down

0 comments on commit 61066fb

Please sign in to comment.