From 8d546b1f66986ccc5c48c6f5e44af4add775fc85 Mon Sep 17 00:00:00 2001 From: aled-ua Date: Tue, 24 Dec 2024 07:57:53 +0000 Subject: [PATCH 1/4] Fix vuln crash-7d18f37e1f05e0ff4aa4dfa2f67dd738340ad9cf --- 3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c b/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c index bb8fdc2919..67f344733e 100644 --- a/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c +++ b/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c @@ -49,13 +49,24 @@ static struct _light_option *__parse_options(uint32_t **memory, const int32_t ma opt->custom_option_code = *local_memory++; opt->option_length = *local_memory++; + // Validate option_length + if (opt->option_length > max_len - 2 * sizeof(*local_memory)) { + free(opt); + return NULL; + } + actual_length = (opt->option_length % alignment) == 0 ? opt->option_length : (opt->option_length / alignment + 1) * alignment; if (actual_length > 0) { opt->data = calloc(1, actual_length); - memcpy(opt->data, local_memory, actual_length); + if (actual_length <= max_len - 2 * sizeof(*local_memory)) { + memcpy(opt->data, local_memory, actual_length); + } else { + free(opt->data); + opt->data = NULL; + } local_memory += (sizeof(**memory) / sizeof(*local_memory)) * (actual_length / alignment); } From e347d4dec35e168f44a6f46a8952b4182c0730d1 Mon Sep 17 00:00:00 2001 From: aled-ua Date: Sat, 4 Jan 2025 20:04:36 +0800 Subject: [PATCH 2/4] Move the heap overflow check before the allocation --- 3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c b/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c index 67f344733e..f8c7ef309e 100644 --- a/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c +++ b/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c @@ -59,14 +59,9 @@ static struct _light_option *__parse_options(uint32_t **memory, const int32_t ma opt->option_length : (opt->option_length / alignment + 1) * alignment; - if (actual_length > 0) { + if (actual_length > 0 && actual_length <= max_len - 2 * sizeof(*local_memory)) { opt->data = calloc(1, actual_length); - if (actual_length <= max_len - 2 * sizeof(*local_memory)) { - memcpy(opt->data, local_memory, actual_length); - } else { - free(opt->data); - opt->data = NULL; - } + memcpy(opt->data, local_memory, actual_length); local_memory += (sizeof(**memory) / sizeof(*local_memory)) * (actual_length / alignment); } From 6c67fb28940e7ee4f8a72700f5e4563697f0f79b Mon Sep 17 00:00:00 2001 From: aled-ua Date: Thu, 9 Jan 2025 11:31:52 +0800 Subject: [PATCH 3/4] Terminating immediately when overflow is found --- .../LightPcapNg/LightPcapNg/src/light_pcapng.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c b/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c index f8c7ef309e..7211adeba9 100644 --- a/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c +++ b/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c @@ -49,21 +49,28 @@ static struct _light_option *__parse_options(uint32_t **memory, const int32_t ma opt->custom_option_code = *local_memory++; opt->option_length = *local_memory++; + // PCPP patch // Validate option_length if (opt->option_length > max_len - 2 * sizeof(*local_memory)) { free(opt); return NULL; } + // PCPP patch end actual_length = (opt->option_length % alignment) == 0 ? opt->option_length : (opt->option_length / alignment + 1) * alignment; - if (actual_length > 0 && actual_length <= max_len - 2 * sizeof(*local_memory)) { - opt->data = calloc(1, actual_length); - memcpy(opt->data, local_memory, actual_length); - local_memory += (sizeof(**memory) / sizeof(*local_memory)) * (actual_length / alignment); + // PCPP patch + // Validate option_length + if (actual_length <= 0 || actual_length > max_len - 2 * sizeof(*local_memory)) { + free(opt); + return NULL; } + opt->data = calloc(1, actual_length); + memcpy(opt->data, local_memory, actual_length); + local_memory += (sizeof(**memory) / sizeof(*local_memory)) * (actual_length / alignment); + // PCPP patch end *memory = (uint32_t*)local_memory; remaining_size = max_len - actual_length - 2 * sizeof(*local_memory); From 6c5d27f9c4c8e6eccdb589ae06a8b4e72da0f115 Mon Sep 17 00:00:00 2001 From: aled-ua Date: Thu, 9 Jan 2025 11:33:07 +0800 Subject: [PATCH 4/4] Fix typo err --- 3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c b/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c index 7211adeba9..eaac07a6b0 100644 --- a/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c +++ b/3rdParty/LightPcapNg/LightPcapNg/src/light_pcapng.c @@ -62,7 +62,7 @@ static struct _light_option *__parse_options(uint32_t **memory, const int32_t ma (opt->option_length / alignment + 1) * alignment; // PCPP patch - // Validate option_length + // Validate actual_length if (actual_length <= 0 || actual_length > max_len - 2 * sizeof(*local_memory)) { free(opt); return NULL;