Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix for potential heap-buffer-overflow in ndpi_search_openvpn
  • Loading branch information
lucaderi committed May 15, 2020
1 parent e90c5c7 commit 8e7b1ea
Showing 1 changed file with 30 additions and 21 deletions.
51 changes: 30 additions & 21 deletions src/lib/protocols/openvpn.c
Expand Up @@ -72,11 +72,12 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct,
u_int8_t alen;
int8_t hmac_size;
int8_t failed = 0;

if(packet->payload_packet_len >= 40) {
/* No u_ */int16_t ovpn_payload_len = packet->payload_packet_len;

if(ovpn_payload_len >= 40) {
// skip openvpn TCP transport packet size
if(packet->tcp != NULL)
ovpn_payload += 2;
ovpn_payload += 2, ovpn_payload_len -= 2;;

opcode = ovpn_payload[0] & P_OPCODE_MASK;

Expand All @@ -85,16 +86,16 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct,
printf("[packet_id: %u][opcode: %u][Packet ID: %d][%u <-> %u][len: %u]\n",
flow->num_processed_pkts,
opcode, check_pkid_and_detect_hmac_size(ovpn_payload),
htons(packet->udp->source), htons(packet->udp->dest), packet->payload_packet_len);
htons(packet->udp->source), htons(packet->udp->dest), ovpn_payload_len);
#endif

if(
(flow->num_processed_pkts == 1)
&& (
((packet->payload_packet_len == 112)
((ovpn_payload_len == 112)
&& ((opcode == 168) || (opcode == 192))
)
|| ((packet->payload_packet_len == 80)
|| ((ovpn_payload_len == 80)
&& ((opcode == 184) || (opcode == 88) || (opcode == 160) || (opcode == 168) || (opcode == 200)))
)) {
NDPI_LOG_INFO(ndpi_struct,"found openvpn\n");
Expand All @@ -119,22 +120,30 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct,
hmac_size = check_pkid_and_detect_hmac_size(ovpn_payload);

if(hmac_size > 0) {
alen = ovpn_payload[P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size)];
u_int16_t offset = P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size);

alen = ovpn_payload[offset];

if (alen > 0) {
session_remote = ovpn_payload + P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size) + 1 + alen * 4;

if(memcmp(flow->ovpn_session_id, session_remote, 8) == 0) {
NDPI_LOG_INFO(ndpi_struct,"found openvpn\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN);
return;
} else {
NDPI_LOG_DBG2(ndpi_struct,
"key mismatch: %02x%02x%02x%02x%02x%02x%02x%02x\n",
session_remote[0], session_remote[1], session_remote[2], session_remote[3],
session_remote[4], session_remote[5], session_remote[6], session_remote[7]);
failed = 1;
}
} else
offset += 1 + alen * 4;

if((offset+8) <= ovpn_payload_len) {
session_remote = &ovpn_payload[offset];

if(memcmp(flow->ovpn_session_id, session_remote, 8) == 0) {
NDPI_LOG_INFO(ndpi_struct,"found openvpn\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN);
return;
} else {
NDPI_LOG_DBG2(ndpi_struct,
"key mismatch: %02x%02x%02x%02x%02x%02x%02x%02x\n",
session_remote[0], session_remote[1], session_remote[2], session_remote[3],
session_remote[4], session_remote[5], session_remote[6], session_remote[7]);
failed = 1;
}
} else
failed = 1;
} else
failed = 1;
} else
failed = 1;
Expand Down

0 comments on commit 8e7b1ea

Please sign in to comment.