Skip to content

Commit

Permalink
QUIC: fix an integer overflow (#1396)
Browse files Browse the repository at this point in the history
Reported by oss-fuzz:
```
==685288==ERROR: AddressSanitizer: SEGV on unknown address 0x61a100000687 (pc 0x0000005aba64 bp 0x7ffe3f29f510 sp 0x7ffe3f29f400 T0)
==685288==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
 #0 0x5aba64 in quic_len ndpi/src/lib/protocols/quic.c:203:12
 #1 0x5aba64 in decrypt_initial_packet ndpi/src/lib/protocols/quic.c:993:16
 #2 0x5aba64 in get_clear_payload ndpi/src/lib/protocols/quic.c:1302:21
 #3 0x5aba64 in ndpi_search_quic ndpi/src/lib/protocols/quic.c:1658:19
 #4 0x579f00 in check_ndpi_detection_func ndpi/src/lib/ndpi_main.c:4683:6
 #5 0x57abe6 in ndpi_check_flow_func ndpi/src/lib/ndpi_main.c:0
 #6 0x583b2c in ndpi_detection_process_packet ndpi/src/lib/ndpi_main.c:5545:15
 #7 0x55e75e in LLVMFuzzerTestOneInput ndpi/fuzz/fuzz_process_packet.c:30:3
[...]
```
  • Loading branch information
IvanNardi authored Jan 11, 2022
1 parent 3a087e9 commit 06f3b07
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/lib/protocols/quic.c
Original file line number Diff line number Diff line change
Expand Up @@ -985,8 +985,9 @@ static uint8_t *decrypt_initial_packet(struct ndpi_detection_module_struct *ndpi
pn_offset = 1 + 4 + 1 + dest_conn_id_len + 1 + source_conn_id_len;
pn_offset += quic_len(&packet->payload[pn_offset], &token_length);
pn_offset += token_length;
/* Checks: quic_len reads 8 bytes, at most; quic_decrypt_header reads other 20 bytes */
if(pn_offset + 8 + (4 + 16) >= packet->payload_packet_len) {
/* Checks: quic_len reads 8 bytes, at most; quic_decrypt_header reads other 20 bytes.
Promote to uint64_t to avoid unsigned wrapping */
if((uint64_t)pn_offset + 8 + (4 + 16) >= (uint64_t)packet->payload_packet_len) {
quic_ciphers_reset(&ciphers);
return NULL;
}
Expand Down

0 comments on commit 06f3b07

Please sign in to comment.