From 1ec621c85b9411cc611652fd57a892cfef478af3 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sat, 15 May 2021 19:53:46 +0200 Subject: [PATCH] Added further checks Upstream-Status: Backport [https://github.com/ntop/nDPI/commit/1ec621c85b9411cc611652fd57a892cfef478af3] CVE: CVE-2021-36082 Signed-off-by: Changqing Li --- src/lib/protocols/netbios.c | 2 +- src/lib/protocols/tls.c | 32 +++++++++++++++++--------------- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index 1f3850cb..0d3b705f 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -42,7 +42,7 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len int ret = 0, len, idx = inlen; char *b; - len = (*in++)/2; + len = (*in++)/2, inlen--; b = out; *out = 0; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 5b572cae..c115ac08 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -994,21 +994,23 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, i += 4 + extension_len, offset += 4 + extension_len; } - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); + ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version); - for(i=0; i 0) ? "-" : "", ja3.cipher[i]); + for(i=0; (i ja3_str_len); i++) { + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); if(rc <= 0) break; else ja3_str_len += rc; } - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; + if(JA3_STR_LEN > ja3_str_len) { + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; + } /* ********** */ - for(i=0; i 0) ? "-" : "", ja3.tls_extension[i]); + for(i=0; (i 0) ? "-" : "", ja3.tls_extension[i]); if(rc <= 0) break; else ja3_str_len += rc; } @@ -1443,41 +1445,41 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, int rc; compute_ja3c: - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); + ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version); for(i=0; i 0) ? "-" : "", ja3.cipher[i]); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; } - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; /* ********** */ for(i=0; i 0) ? "-" : "", ja3.tls_extension[i]); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; } - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; /* ********** */ for(i=0; i 0) ? "-" : "", ja3.elliptic_curve[i]); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; } - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; for(i=0; i 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; } -- 2.17.1