nfqws: prevent out-of-band access in IsQUICCryptoHello

3 years ago · 64406960aa
10 changed files with 4 additions and 2 deletions
--- a/binaries/aarch64/nfqws
+++ b/binaries/aarch64/nfqws
--- a/binaries/arm/nfqws
+++ b/binaries/arm/nfqws
--- a/binaries/freebsd-x64/dvtws
+++ b/binaries/freebsd-x64/dvtws
--- a/binaries/mips32r1-lsb/nfqws
+++ b/binaries/mips32r1-lsb/nfqws
--- a/binaries/mips32r1-msb/nfqws
+++ b/binaries/mips32r1-msb/nfqws
--- a/binaries/mips64r2-msb/nfqws
+++ b/binaries/mips64r2-msb/nfqws
--- a/binaries/ppc/nfqws
+++ b/binaries/ppc/nfqws
--- a/binaries/x86/nfqws
+++ b/binaries/x86/nfqws
--- a/binaries/x86_64/nfqws
+++ b/binaries/x86_64/nfqws
--- a/nfq/protocol.c
+++ b/nfq/protocol.c
@ -86,10 +86,12 @@ bool IsQUICCryptoHello(const uint8_t *data, size_t len, size_t *hello_offset, si
 	size_t offset = 1;
 	uint64_t coff, clen;
 	if (len < 3 || *data != 6) return false;
 	if ((offset+tvb_get_size(data[offset])) >= len) return false;
 	offset += tvb_get_varint(data + offset, &coff);
-	if (offset >= len) return false;
+	// offset must be 0 if it's a full segment, not just a chunk
 	if (coff || (offset+tvb_get_size(data[offset])) >= len) return false;
 	offset += tvb_get_varint(data + offset, &clen);
-	if (offset >= len || data[offset] != 0x01 || (offset + coff + clen) > len) return false;
+	if (data[offset] != 0x01 || (offset + coff + clen) > len) return false;
 	if (hello_offset) *hello_offset = offset + coff;
 	if (hello_len) *hello_len = (size_t)clen;
 	return true;