Skip to content

Commit

Permalink
HTTP: fix another memory access error (#2049)
Browse files Browse the repository at this point in the history
```
=================================================================
==199079==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x559a2a6efd4f in strncpy (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader+0x94ad4f) (BuildId: 34aaabba403c6bc5482553ef355360fd2762a157)
    #1 0x559a2a9890f0 in ndpi_http_check_content /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:300:8
    #2 0x559a2a9812c0 in check_content_type_and_change_protocol /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:910:46
    #3 0x559a2a978fee in process_response /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1289:3
    #4 0x559a2a97622f in ndpi_check_http_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1382:9
    #5 0x559a2a975d95 in ndpi_search_http_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1468:3
    #6 0x559a2a864970 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5948:4
    #7 0x559a2a8660df in check_ndpi_tcp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6013:12
    #8 0x559a2a865d7f in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6032:12
    #9 0x559a2a876fd6 in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7038:15
    #10 0x559a2a87311f in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7205:22
    #11 0x559a2a77381e in packet_processing /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:1710:31
    #12 0x559a2a77381e in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:2427:10
[...]
```

Found by oss-fuzz
See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60605
  • Loading branch information
IvanNardi authored Jul 15, 2023
1 parent 2bbde5b commit 5267858
Showing 1 changed file with 6 additions and 4 deletions.
10 changes: 6 additions & 4 deletions src/lib/protocols/http.c
Original file line number Diff line number Diff line change
Expand Up @@ -295,10 +295,12 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
if(packet->content_disposition_line.ptr[attachment_len] == '\"') {
if(packet->content_disposition_line.ptr[packet->content_disposition_line.len-1] != '\"') {
//case: filename="file_name
flow->http.filename = ndpi_malloc(filename_len);
if(flow->http.filename != NULL) {
strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-1);
flow->http.filename[filename_len-1] = '\0';
if(filename_len >= 2) {
flow->http.filename = ndpi_malloc(filename_len);
if(flow->http.filename != NULL) {
strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-1);
flow->http.filename[filename_len-1] = '\0';
}
}
}
else if(filename_len >= 2) {
Expand Down

0 comments on commit 5267858

Please sign in to comment.