QUIC: fix an integer overflow

Reported by oss-fuzz: ``` ==685288==ERROR: AddressSanitizer: SEGV on unknown address 0x61a100000687 (pc 0x0000005aba64 bp 0x7ffe3f29f510 sp 0x7ffe3f29f400 T0) ==685288==The signal is caused by a READ memory access. SCARINESS: 20 (wild-addr-read) #0 0x5aba64 in quic_len ndpi/src/lib/protocols/quic.c:203:12 ntop#1 0x5aba64 in decrypt_initial_packet ndpi/src/lib/protocols/quic.c:993:16 ntop#2 0x5aba64 in get_clear_payload ndpi/src/lib/protocols/quic.c:1302:21 ntop#3 0x5aba64 in ndpi_search_quic ndpi/src/lib/protocols/quic.c:1658:19 ntop#4 0x579f00 in check_ndpi_detection_func ndpi/src/lib/ndpi_main.c:4683:6 ntop#5 0x57abe6 in ndpi_check_flow_func ndpi/src/lib/ndpi_main.c:0 ntop#6 0x583b2c in ndpi_detection_process_packet ndpi/src/lib/ndpi_main.c:5545:15 ntop#7 0x55e75e in LLVMFuzzerTestOneInput ndpi/fuzz/fuzz_process_packet.c:30:3 [...] ```
IvanNardi · Jan 11, 2022 · 29e97b7 · 29e97b7
1 parent 3a087e9
commit 29e97b7
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
@@ -985,8 +985,9 @@ static uint8_t *decrypt_initial_packet(struct ndpi_detection_module_struct *ndpi
   pn_offset = 1 + 4 + 1 + dest_conn_id_len + 1 + source_conn_id_len;
   pn_offset += quic_len(&packet->payload[pn_offset], &token_length);
   pn_offset += token_length;
-  /* Checks: quic_len reads 8 bytes, at most; quic_decrypt_header reads other 20 bytes */
-  if(pn_offset + 8 + (4 + 16) >= packet->payload_packet_len) {
+  /* Checks: quic_len reads 8 bytes, at most; quic_decrypt_header reads other 20 bytes.
+     Promote to uint64_t to avoid unsigned wrapping */
+  if((uint64_t)pn_offset + 8 + (4 + 16) >= (uint64_t)packet->payload_packet_len) {
     quic_ciphers_reset(&ciphers);
     return NULL;
   }