Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame^] | 1 | From 1ec621c85b9411cc611652fd57a892cfef478af3 Mon Sep 17 00:00:00 2001 |
| 2 | From: Luca Deri <deri@ntop.org> |
| 3 | Date: Sat, 15 May 2021 19:53:46 +0200 |
| 4 | Subject: [PATCH] Added further checks |
| 5 | |
| 6 | Upstream-Status: Backport [https://github.com/ntop/nDPI/commit/1ec621c85b9411cc611652fd57a892cfef478af3] |
| 7 | CVE: CVE-2021-36082 |
| 8 | |
| 9 | Signed-off-by: Changqing Li <changqing.li@windriver.com> |
| 10 | |
| 11 | --- |
| 12 | src/lib/protocols/netbios.c | 2 +- |
| 13 | src/lib/protocols/tls.c | 32 +++++++++++++++++--------------- |
| 14 | 2 files changed, 18 insertions(+), 16 deletions(-) |
| 15 | |
| 16 | diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c |
| 17 | index 1f3850cb..0d3b705f 100644 |
| 18 | --- a/src/lib/protocols/netbios.c |
| 19 | +++ b/src/lib/protocols/netbios.c |
| 20 | @@ -42,7 +42,7 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len |
| 21 | int ret = 0, len, idx = inlen; |
| 22 | char *b; |
| 23 | |
| 24 | - len = (*in++)/2; |
| 25 | + len = (*in++)/2, inlen--; |
| 26 | b = out; |
| 27 | *out = 0; |
| 28 | |
| 29 | diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c |
| 30 | index 5b572cae..c115ac08 100644 |
| 31 | --- a/src/lib/protocols/tls.c |
| 32 | +++ b/src/lib/protocols/tls.c |
| 33 | @@ -994,21 +994,23 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, |
| 34 | i += 4 + extension_len, offset += 4 + extension_len; |
| 35 | } |
| 36 | |
| 37 | - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); |
| 38 | + ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version); |
| 39 | |
| 40 | - for(i=0; i<ja3.num_cipher; i++) { |
| 41 | - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); |
| 42 | + for(i=0; (i<ja3.num_cipher) && (JA3_STR_LEN > ja3_str_len); i++) { |
| 43 | + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); |
| 44 | |
| 45 | if(rc <= 0) break; else ja3_str_len += rc; |
| 46 | } |
| 47 | |
| 48 | - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); |
| 49 | - if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; |
| 50 | + if(JA3_STR_LEN > ja3_str_len) { |
| 51 | + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); |
| 52 | + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; |
| 53 | + } |
| 54 | |
| 55 | /* ********** */ |
| 56 | |
| 57 | - for(i=0; i<ja3.num_tls_extension; i++) { |
| 58 | - int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); |
| 59 | + for(i=0; (i<ja3.num_tls_extension) && (JA3_STR_LEN-ja3_str_len); i++) { |
| 60 | + int rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); |
| 61 | |
| 62 | if(rc <= 0) break; else ja3_str_len += rc; |
| 63 | } |
| 64 | @@ -1443,41 +1445,41 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, |
| 65 | int rc; |
| 66 | |
| 67 | compute_ja3c: |
| 68 | - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); |
| 69 | + ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version); |
| 70 | |
| 71 | for(i=0; i<ja3.num_cipher; i++) { |
| 72 | - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", |
| 73 | + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", |
| 74 | (i > 0) ? "-" : "", ja3.cipher[i]); |
| 75 | if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; |
| 76 | } |
| 77 | |
| 78 | - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); |
| 79 | + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); |
| 80 | if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; |
| 81 | |
| 82 | /* ********** */ |
| 83 | |
| 84 | for(i=0; i<ja3.num_tls_extension; i++) { |
| 85 | - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", |
| 86 | + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", |
| 87 | (i > 0) ? "-" : "", ja3.tls_extension[i]); |
| 88 | if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; |
| 89 | } |
| 90 | |
| 91 | - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); |
| 92 | + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); |
| 93 | if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; |
| 94 | |
| 95 | /* ********** */ |
| 96 | |
| 97 | for(i=0; i<ja3.num_elliptic_curve; i++) { |
| 98 | - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", |
| 99 | + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", |
| 100 | (i > 0) ? "-" : "", ja3.elliptic_curve[i]); |
| 101 | if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; |
| 102 | } |
| 103 | |
| 104 | - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); |
| 105 | + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); |
| 106 | if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; |
| 107 | |
| 108 | for(i=0; i<ja3.num_elliptic_curve_point_format; i++) { |
| 109 | - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", |
| 110 | + rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", |
| 111 | (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); |
| 112 | if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; |
| 113 | } |
| 114 | -- |
| 115 | 2.17.1 |
| 116 | |