From 1e507e6fed9af648ef122e2210cb8277253f0aea Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Tue, 14 Jun 2022 08:42:09 +0200 Subject: [PATCH] Fix invalid memory access We can access `flow->protos` union only after checking the protocol. Checking `flow->detected_protocol.master_protocol` is redundant because we already check it in `is_ndpi_proto` ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==29739==ERROR: AddressSanitizer: SEGV on unknown address 0x000000353820 (pc 0x7f9b64dd2717 bp 0x7fff161a52f0 sp 0x7fff161a4aa8 T0) ==29739==The signal is caused by a READ memory access. #0 0x7f9b64dd2717 /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:96 #1 0x555c65e597d8 in __interceptor_strlen (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_with_main+0x6407d8) (BuildId: 11ac8ec30f1d49fb0276c9b03368e491505d2bba) #2 0x555c65fd85fa in ndpi_strdup /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:269:13 #3 0x555c65f3e8c6 in process_ndpi_collected_info /home/ivan/svnrepos/nDPI/example/reader_util.c:1188:36 #4 0x555c65f52cab in packet_processing /home/ivan/svnrepos/nDPI/example/reader_util.c:1567:2 #5 0x555c65f4b632 in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/example/reader_util.c:2110:10 #6 0x555c65f04d29 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:109:7 #7 0x555c65f054bb in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader.c:181:17 #8 0x7f9b64c6e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #9 0x555c65e4253d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_ndpi_reader_with_main+0x62953d) (BuildId: 11ac8ec30f1d49fb0276c9b03368e491505d2bba) ``` Found by oss-fuzzer. See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48020 --- example/reader_util.c | 8 +++++--- src/include/ndpi_typedefs.h | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/example/reader_util.c b/example/reader_util.c index c3c18764dc5..800305b456a 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1157,10 +1157,12 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ndpi_flow->protos.ssh.hassh_server); } /* TLS */ - else if((is_ndpi_proto(flow, NDPI_PROTOCOL_TLS)) + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) + || is_ndpi_proto(flow, NDPI_PROTOCOL_DTLS) + || is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_SMTPS) + || is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_IMAPS) + || is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_POPS) || ((is_quic = is_ndpi_proto(flow, NDPI_PROTOCOL_QUIC))) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) - || (flow->ndpi_flow->protos.tls_quic.ja3_client[0] != '\0') ) { flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.tls_quic.ssl_version; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 8cc88c17da8..2f47a28b507 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1276,7 +1276,7 @@ struct ndpi_flow_struct { char *esni; } encrypted_sni; ndpi_cipher_weakness server_unsafe_cipher; - } tls_quic; + } tls_quic; /* Used also by DTLS and POPS/IMAPS/SMTPS */ struct { char client_signature[48], server_signature[48];