Numeric truncation at diameter.c:76

[headshog]

Hi! We've been fuzzing nDPI with sydr-fuzz security predicates and we found numeric truncation error in diameter.c:76.

In function is_diameter on line 76 variable com_code has type u_int16_t. But on the right side of operator there is an integer type value, so the numeric truncation may occur. Variable com_code is used after in if operator where it is checked for equality to constant values on line 78. We found an input for fuzz-target which makes com_code variable equal to one of these constants after truncation on line 76. That means that that function returns with code 0, which is most likely incorrect. So we suggest to change the type u_int16_t of this variable to type u_int32_t.

Environment

• OS: ubuntu 20.04
• commit: 334b435

How to reproduce this error

1. Build docker container:

   sudo docker build -t oss-sydr-fuzz-ndpi .
   
   

2. Run docker container:

   docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-ndpi /bin/bash
   
   

3. Run on the following input:

   /nDPI/libfuzzer/fuzz_ndpi_reader_alloc_fail sydr_39642e89d3e664c881362684e932beee68506e95_num_trunc_1.txt
   
   

4. Output:

   protocols/diameter.c:76:26: runtime error: implicit conversion from type 'int' of value 65810 (32-bit, signed) to type 'u_int16_t' (aka 'unsigned short') changed the value to 274 (16-bit, unsigned)
   SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/diameter.c:76:26
   

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[IvanNardi]

@headshog, thanks for your fixes