gfwleak/mesa-platform-quic
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-7993: 解密后得到得payload length为0时,未对异常值做判断导致memcpy越界,也可导致watchdog timeout

Browse Source
This commit is contained in:
liuxueli
2021-10-12 15:56:14 +08:00
parent e436823d37
commit a6d1dbf9d2
1 changed files with 22 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/parser_quic.cpp
View File

@@ -168,8 +168,8 @@ static void quic_decrypt_message(quic_pp_cipher *pp_cipher, const char *payload,
// buffer_length = length - (header_length + 16); // buffer_length = length - (header_length + 16);
// buffer_length = 297 - (2 + 16); // buffer_length = 297 - (2 + 16);
buffer_length = length - (pkn_len + 16); buffer_length = length - (pkn_len + 16);
if (buffer_length == 0) { if (buffer_length == 0 || buffer_length >1500) {
*error = (const guchar *)"Decryption not possible, ciphertext is too short"; *error = (const guchar *)"Decryption not possible, ciphertext is too short or too long";
return; return;
} }
buffer = (guint8 *)g_malloc(buffer_length); buffer = (guint8 *)g_malloc(buffer_length);
@@ -765,8 +765,12 @@ int dissect_quic(const char *payload, unsigned int length, unsigned char *out, u
// printf("%d\n", token_length); // printf("%d\n", token_length);
pn_offset += tvb_get_varint(payload, pn_offset, 8, &payload_length, ENC_VARINT_QUIC); pn_offset += tvb_get_varint(payload, pn_offset, 8, &payload_length, ENC_VARINT_QUIC);
// printf("%d\n", payload_length); if(payload_length==0 || payload_length >1500)
{
quic_packet.decryption.error = (const guchar*)"Payload length is too small or too long";
}
else
{
// Assume failure unless proven otherwise. // Assume failure unless proven otherwise.
ciphers = &conn.client_initial_ciphers; ciphers = &conn.client_initial_ciphers;
error = "Header deprotection failed"; error = "Header deprotection failed";
@@ -782,6 +786,7 @@ int dissect_quic(const char *payload, unsigned int length, unsigned char *out, u
offset = pn_offset + quic_packet.pkn_len; offset = pn_offset + quic_packet.pkn_len;
//quic_process_payload(payload, length, offset, &conn, &quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet.pkn_len); //quic_process_payload(payload, length, offset, &conn, &quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet.pkn_len);
quic_process_payload(payload, payload_length, offset, &conn, &quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet.pkn_len); quic_process_payload(payload, payload_length, offset, &conn, &quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet.pkn_len);
}
// Out // Out
if (!quic_packet.decryption.error) if (!quic_packet.decryption.error)