Kerberos: fix some memory access errors

``` ==19724==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000045e at pc 0x5620b8b3d3cc bp 0x7ffe0fda6b50 sp 0x7ffe0fda6310 READ of size 2 at 0x60e00000045e thread T0 #0 0x5620b8b3d3cb in __interceptor_strncpy (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x63f3cb) (BuildId: ee53ff920c8cd4c226d8520a0d4846d8864726b6) ntop#1 0x5620b8d9b69c in strncpy_lower /home/ivan/svnrepos/nDPI/src/lib/protocols/kerberos.c:208:4 ntop#2 0x5620b8d995a0 in krb_parse /home/ivan/svnrepos/nDPI/src/lib/protocols/kerberos.c:316:5 ntop#3 0x5620b8d97a90 in ndpi_search_kerberos /home/ivan/svnrepos/nDPI/src/lib/protocols/kerberos.c:687:12 ntop#4 0x5620b8bcef35 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:4996:4 ntop#5 0x5620b8bd1be8 in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5072:10 ntop#6 0x5620b8bd159c in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5105:12 ntop#7 0x5620b8be323a in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5924:15 ntop#8 0x5620b8b8f7e0 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:24:3 ntop#9 0x5620b8b8fd1b in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:84:17 ntop#10 0x7f45b32b90b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16 ntop#11 0x5620b8acf47d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x5d147d) (BuildId: ee53ff920c8cd4c226d8520a0d4846d8864726b6) 0x60e00000045e is located 0 bytes to the right of 158-byte region [0x60e0000003c0,0x60e00000045e) allocated by thread T0 here: #0 0x5620b8b5283e in malloc (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x65483e) (BuildId: ee53ff920c8cd4c226d8520a0d4846d8864726b6) ntop#1 0x5620b8b8fc86 in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:70:17 ntop#2 0x7f45b32b90b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16 ``` ``` protocols/kerberos.c:79:52: runtime error: left shift of 255 by 24 places cannot be represented in type 'int' ``` Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46670 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46636
IvanNardi · Apr 13, 2022 · bbc0af6 · bbc0af6
1 parent 06a0abb
commit bbc0af6
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c
@@ -76,7 +76,7 @@ static int krb_decode_asn1_length(struct ndpi_detection_module_struct *ndpi_stru
     length = 0;
     for (; i <= length_octet; ++i)
     {
-      length |= packet->payload[*kasn1_offset + i] << (length_octet - i) * 8;
+      length |= (unsigned int)packet->payload[*kasn1_offset + i] << (length_octet - i) * 8;
     }
     *kasn1_offset += i;
   }
@@ -262,7 +262,7 @@ static int krb_parse(struct ndpi_detection_module_struct * const ndpi_struct,
   }
 
   length = krb_decode_asn1_string_type(ndpi_struct, &kasn1_offset, &text);
-  if (length < 0)
+  if (length < 3)
   {
     return -1;
   }
@@ -302,7 +302,7 @@ static int krb_parse(struct ndpi_detection_module_struct * const ndpi_struct,
   }
 
   length = krb_decode_asn1_string_type(ndpi_struct, &kasn1_offset, &text);
-  if (length < 0)
+  if (length < 3)
   {
     return -1;
   }