From a6d1dbf9d2ffb9e2a89474a6d4933cfe3bf43439 Mon Sep 17 00:00:00 2001 From: liuxueli Date: Tue, 12 Oct 2021 15:56:14 +0800 Subject: [PATCH] =?UTF-8?q?TSG-7993:=20=E8=A7=A3=E5=AF=86=E5=90=8E?= =?UTF-8?q?=E5=BE=97=E5=88=B0=E5=BE=97payload=20length=E4=B8=BA0=E6=97=B6?= =?UTF-8?q?=EF=BC=8C=E6=9C=AA=E5=AF=B9=E5=BC=82=E5=B8=B8=E5=80=BC=E5=81=9A?= =?UTF-8?q?=E5=88=A4=E6=96=AD=E5=AF=BC=E8=87=B4memcpy=E8=B6=8A=E7=95=8C?= =?UTF-8?q?=EF=BC=8C=E4=B9=9F=E5=8F=AF=E5=AF=BC=E8=87=B4watchdog=20timeout?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/parser_quic.cpp | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/src/parser_quic.cpp b/src/parser_quic.cpp index de3b968..926e295 100644 --- a/src/parser_quic.cpp +++ b/src/parser_quic.cpp @@ -168,8 +168,8 @@ static void quic_decrypt_message(quic_pp_cipher *pp_cipher, const char *payload, // buffer_length = length - (header_length + 16); // buffer_length = 297 - (2 + 16); buffer_length = length - (pkn_len + 16); - if (buffer_length == 0) { - *error = (const guchar *)"Decryption not possible, ciphertext is too short"; + if (buffer_length == 0 || buffer_length >1500) { + *error = (const guchar *)"Decryption not possible, ciphertext is too short or too long"; return; } buffer = (guint8 *)g_malloc(buffer_length); @@ -765,23 +765,28 @@ int dissect_quic(const char *payload, unsigned int length, unsigned char *out, u // printf("%d\n", token_length); pn_offset += tvb_get_varint(payload, pn_offset, 8, &payload_length, ENC_VARINT_QUIC); - // printf("%d\n", payload_length); - - // Assume failure unless proven otherwise. - ciphers = &conn.client_initial_ciphers; - error = "Header deprotection failed"; - if (quic_decrypt_header(payload, pn_offset, &ciphers->hp_cipher, GCRY_CIPHER_AES128, &first_byte, &pkn32)) - error = NULL; - if (!error) { - quic_set_full_packet_number(&conn, &quic_packet, from_server, first_byte, pkn32); - quic_packet.first_byte = first_byte; + if(payload_length==0 || payload_length >1500) + { + quic_packet.decryption.error = (const guchar*)"Payload length is too small or too long"; } + else + { + // Assume failure unless proven otherwise. + ciphers = &conn.client_initial_ciphers; + error = "Header deprotection failed"; + if (quic_decrypt_header(payload, pn_offset, &ciphers->hp_cipher, GCRY_CIPHER_AES128, &first_byte, &pkn32)) + error = NULL; + if (!error) { + quic_set_full_packet_number(&conn, &quic_packet, from_server, first_byte, pkn32); + quic_packet.first_byte = first_byte; + } - // Payload - // skip type(1) + version(4) + DCIL+DCID + SCIL+SCID + len_token_length + token_length + len_payload_length + len_packet_number - offset = pn_offset + quic_packet.pkn_len; - //quic_process_payload(payload, length, offset, &conn, &quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet.pkn_len); - quic_process_payload(payload, payload_length, offset, &conn, &quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet.pkn_len); + // Payload + // skip type(1) + version(4) + DCIL+DCID + SCIL+SCID + len_token_length + token_length + len_payload_length + len_packet_number + offset = pn_offset + quic_packet.pkn_len; + //quic_process_payload(payload, length, offset, &conn, &quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet.pkn_len); + quic_process_payload(payload, payload_length, offset, &conn, &quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet.pkn_len); + } // Out if (!quic_packet.decryption.error)