Numeric truncation at tls.c:1010

[headshog]

Hi! We've been fuzzing nDPI with sydr-fuzz security predicates and numeric truncation error was found in tls.c:1010.

In ndpi_search_tls_tcp function we have found this error on line 1010. On this line value (message->buffer[3] << 8) + message->buffer[4] + 5, which has int type due to integer promotion, can be truncated. Then the variable len is used in if operator on line 1012, that can work out incorrectly. So variable type u_int16_t len should be changed to u_int32_t len.

Environment

• OS: ubuntu 20.04
• commit: 334b435

How to reproduce this error

1. Build docker container:

   sudo docker build -t oss-sydr-fuzz-ndpi .
   
   

2. Run docker container:

   docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-ndpi /bin/bash
   
   

3. Run on the following input:

   /nDPI/libfuzzer/fuzz_ndpi_reader sydr_dc37d65b367f71e74967d3478cc161b48ad86c7d_num_trunc_0
   
   

4. Output:

   protocols/tls.c:1010:11: runtime error: implicit conversion from type 'int' of value 65540 (32-bit, signed) to type 'u_int16_t' (aka 'unsigned short') changed the value to 4 (16-bit, unsigned)
   SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/tls.c:1010:11
   

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[IvanNardi]

Thank you