QUIC: fix heap-buffer-overflow

``` ==12318==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000032 at pc 0x55a59ec97959 bp 0x7fffee67fdd0 sp 0x7fffee67fdc8 READ of size 1 at 0x604000000032 thread T0 #0 0x55a59ec97958 in may_be_0rtt /home/ivan/svnrepos/nDPI/src/lib/protocols/quic.c:1483:24 #1 0x55a59ec9515f in ndpi_search_quic /home/ivan/svnrepos/nDPI/src/lib/protocols/quic.c:1708:13 #2 0x55a59ec32e95 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5428:6 #3 0x55a59ec33c5b in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5464:10 #4 0x55a59ec335fc in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5497:12 #5 0x55a59ec44615 in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6322:15 #6 0x55a59eb8884e in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:29:5 #7 0x55a59eb889c7 in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:101:17 ntop#8 0x7fb5b3ba2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 ntop#9 0x55a59eac742d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x47d42d) (BuildId: 712c87b21cf5c05f64174745909c693d3ba0b62e) 0x604000000032 is located 0 bytes to the right of 34-byte region [0x604000000010,0x604000000032) allocated by thread T0 here: #0 0x55a59eb4bfee in malloc (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x501fee) (BuildId: 712c87b21cf5c05f64174745909c693d3ba0b62e) #1 0x55a59eb8899c in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:87:17 ``` Found by CI tests. See: https://github.com/ntop/nDPI/runs/7996151458?check_suite_focus=true
ThreatEye · Aug 25, 2022 · a329730 · a329730
1 parent 8bfb171
commit a329730
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
@@ -1476,12 +1476,12 @@ static int may_be_0rtt(struct ndpi_detection_module_struct *ndpi_struct,
 
   /* Check that CIDs lengths are valid */
   dest_conn_id_len = packet->payload[5];
-  if(packet->payload_packet_len < 5 + 1 + dest_conn_id_len) {
+  if(packet->payload_packet_len <= 5 + 1 + dest_conn_id_len) {
     NDPI_LOG_DBG2(ndpi_struct, "Dcid too short\n");
     return 0;
   }
   source_conn_id_len = packet->payload[5 + 1 + dest_conn_id_len];
-  if(packet->payload_packet_len < 5 + 1 + dest_conn_id_len + 1 + source_conn_id_len) {
+  if(packet->payload_packet_len <= 5 + 1 + dest_conn_id_len + 1 + source_conn_id_len) {
     NDPI_LOG_DBG2(ndpi_struct, "Scid too short\n");
     return 0;
   }