gfwleak/mesa-platform-quic
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-7993: 解密后得到得payload length为0时,未对异常值做判断导致memcpy越界,也可导致watchdog timeout

Browse Source
This commit is contained in:
liuxueli
2021-10-12 15:56:14 +08:00
parent e436823d37
commit a6d1dbf9d2
1 changed files with 22 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
src/parser_quic.cpp
View File

@@ -168,8 +168,8 @@ static void quic_decrypt_message(quic_pp_cipher *pp_cipher, const char *payload,
// buffer_length = length - (header_length + 16);
// buffer_length = 297 - (2 + 16);
buffer_length = length - (pkn_len + 16);
if (buffer_length == 0) {
*error = (const guchar *)"Decryption not possible, ciphertext is too short";
if (buffer_length == 0 || buffer_length >1500) {
*error = (const guchar *)"Decryption not possible, ciphertext is too short or too long";
return;
}
buffer = (guint8 *)g_malloc(buffer_length);
@@ -765,23 +765,28 @@ int dissect_quic(const char *payload, unsigned int length, unsigned char *out, u
// printf("%d\n", token_length);
pn_offset += tvb_get_varint(payload, pn_offset, 8, &payload_length, ENC_VARINT_QUIC);
// printf("%d\n", payload_length);
// Assume failure unless proven otherwise.
ciphers = &conn.client_initial_ciphers;
error = "Header deprotection failed";
if (quic_decrypt_header(payload, pn_offset, &ciphers->hp_cipher, GCRY_CIPHER_AES128, &first_byte, &pkn32))
error = NULL;
if (!error) {
quic_set_full_packet_number(&conn, &quic_packet, from_server, first_byte, pkn32);
quic_packet.first_byte = first_byte;
if(payload_length==0 || payload_length >1500)
{
quic_packet.decryption.error = (const guchar*)"Payload length is too small or too long";
}
else
{
// Assume failure unless proven otherwise.
ciphers = &conn.client_initial_ciphers;
error = "Header deprotection failed";
if (quic_decrypt_header(payload, pn_offset, &ciphers->hp_cipher, GCRY_CIPHER_AES128, &first_byte, &pkn32))
error = NULL;
if (!error) {
quic_set_full_packet_number(&conn, &quic_packet, from_server, first_byte, pkn32);
quic_packet.first_byte = first_byte;
}
// Payload
// skip type(1) + version(4) + DCIL+DCID + SCIL+SCID + len_token_length + token_length + len_payload_length + len_packet_number
offset = pn_offset + quic_packet.pkn_len;
//quic_process_payload(payload, length, offset, &conn, &quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet.pkn_len);
quic_process_payload(payload, payload_length, offset, &conn, &quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet.pkn_len);
// Payload
// skip type(1) + version(4) + DCIL+DCID + SCIL+SCID + len_token_length + token_length + len_payload_length + len_packet_number
offset = pn_offset + quic_packet.pkn_len;
//quic_process_payload(payload, length, offset, &conn, &quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet.pkn_len);
quic_process_payload(payload, payload_length, offset, &conn, &quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet.pkn_len);
}
// Out
if (!quic_packet.decryption.error)