1From 1ec621c85b9411cc611652fd57a892cfef478af3 Mon Sep 17 00:00:00 2001 2From: Luca Deri <deri@ntop.org> 3Date: Sat, 15 May 2021 19:53:46 +0200 4Subject: [PATCH] Added further checks 5 6Upstream-Status: Backport [https://github.com/ntop/nDPI/commit/1ec621c85b9411cc611652fd57a892cfef478af3] 7CVE: CVE-2021-36082 8 9Signed-off-by: Changqing Li <changqing.li@windriver.com> 10 11--- 12 src/lib/protocols/netbios.c | 2 +- 13 src/lib/protocols/tls.c | 32 +++++++++++++++++--------------- 14 2 files changed, 18 insertions(+), 16 deletions(-) 15 16diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c 17index 1f3850cb..0d3b705f 100644 18--- a/src/lib/protocols/netbios.c 19+++ b/src/lib/protocols/netbios.c 20@@ -42,7 +42,7 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len 21 int ret = 0, len, idx = inlen; 22 char *b; 23 24- len = (*in++)/2; 25+ len = (*in++)/2, inlen--; 26 b = out; 27 *out = 0; 28 29diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c 30index 5b572cae..c115ac08 100644 31--- a/src/lib/protocols/tls.c 32+++ b/src/lib/protocols/tls.c 33@@ -994,21 +994,23 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, 34 i += 4 + extension_len, offset += 4 + extension_len; 35 } 36 37- ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); 38+ ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version); 39 40- for(i=0; i<ja3.num_cipher; i++) { 41- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); 42+ for(i=0; (i<ja3.num_cipher) && (JA3_STR_LEN > ja3_str_len); i++) { 43+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); 44 45 if(rc <= 0) break; else ja3_str_len += rc; 46 } 47 48- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); 49- if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; 50+ if(JA3_STR_LEN > ja3_str_len) { 51+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); 52+ if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; 53+ } 54 55 /* ********** */ 56 57- for(i=0; i<ja3.num_tls_extension; i++) { 58- int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); 59+ for(i=0; (i<ja3.num_tls_extension) && (JA3_STR_LEN-ja3_str_len); i++) { 60+ int rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); 61 62 if(rc <= 0) break; else ja3_str_len += rc; 63 } 64@@ -1443,41 +1445,41 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, 65 int rc; 66 67 compute_ja3c: 68- ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); 69+ ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version); 70 71 for(i=0; i<ja3.num_cipher; i++) { 72- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", 73+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", 74 (i > 0) ? "-" : "", ja3.cipher[i]); 75 if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; 76 } 77 78- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); 79+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); 80 if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; 81 82 /* ********** */ 83 84 for(i=0; i<ja3.num_tls_extension; i++) { 85- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", 86+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", 87 (i > 0) ? "-" : "", ja3.tls_extension[i]); 88 if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; 89 } 90 91- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); 92+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); 93 if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; 94 95 /* ********** */ 96 97 for(i=0; i<ja3.num_elliptic_curve; i++) { 98- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", 99+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", 100 (i > 0) ? "-" : "", ja3.elliptic_curve[i]); 101 if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; 102 } 103 104- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); 105+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); 106 if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; 107 108 for(i=0; i<ja3.num_elliptic_curve_point_format; i++) { 109- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", 110+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", 111 (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); 112 if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; 113 } 114-- 1152.17.1 116 117