Skip to content

Commit 5347fde

Browse files
committed
Fix: OOB read / potential heap overflow nasl_packet_forgery*
1 parent 46ef948 commit 5347fde

2 files changed

Lines changed: 25 additions & 4 deletions

File tree

nasl/nasl_packet_forgery.c

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -370,9 +370,9 @@ insert_ip_options (lex_ctxt *lexic)
370370
int pad_len;
371371
char zero = '0';
372372
int i;
373-
int hl;
373+
size_t hl;
374374

375-
if (ip == NULL)
375+
if (ip == NULL || value == NULL)
376376
{
377377
nasl_perror (lexic, "Usage : insert_ip_options(ip:<ip>, code:<code>, "
378378
"length:<len>, value:<value>\n");
@@ -384,7 +384,11 @@ insert_ip_options (lex_ctxt *lexic)
384384
pad_len = 0;
385385

386386
hl = ip->ip_hl * 4 < UNFIX (ip->ip_len) ? ip->ip_hl * 4 : UNFIX (ip->ip_len);
387+
if (hl > size)
388+
return NULL; // malformed.
389+
387390
new_packet = g_malloc0 (size + 4 + value_size + pad_len);
391+
388392
bcopy (ip, new_packet, hl);
389393

390394
uc_code = (u_char) code;
@@ -898,6 +902,13 @@ get_tcp_option (lex_ctxt *lexic)
898902
ip = (struct ip *) packet;
899903

900904
ipsz = get_var_size_by_name (lexic, "tcp");
905+
if (ipsz < (int) sizeof (struct ip))
906+
return NULL;
907+
908+
// check that ip + tcp is bigger that the original packet
909+
if (ip->ip_hl * 4 + 20 > ipsz)
910+
return NULL;
911+
901912
// ip header length is given in 32 bits words = 4 bytes.
902913
if (ip->ip_hl * 4 > ipsz)
903914
return NULL; /* Invalid packet */

nasl/nasl_packet_forgery_v6.c

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -407,9 +407,9 @@ insert_ip_v6_options (lex_ctxt *lexic)
407407
int pad_len;
408408
char zero = '0';
409409
int i;
410-
int pl;
410+
size_t pl;
411411

412-
if (ip6 == NULL)
412+
if (ip6 == NULL && value == NULL)
413413
{
414414
nasl_perror (lexic,
415415
"Usage : %s(ip6:<ip6>, code:<code>, "
@@ -423,6 +423,10 @@ insert_ip_v6_options (lex_ctxt *lexic)
423423
pad_len = 0;
424424

425425
pl = 40 < UNFIX (ip6->ip6_plen) ? 40 : UNFIX (ip6->ip6_plen);
426+
427+
if (pl > size)
428+
return NULL; // malformed packet.
429+
426430
new_packet = g_malloc0 (size + 4 + value_size + pad_len);
427431
bcopy (ip6, new_packet, pl);
428432

@@ -863,6 +867,12 @@ get_tcp_v6_option (lex_ctxt *lexic)
863867

864868
/* valid ipv6 header check */
865869
ipsz = get_var_size_by_name (lexic, "tcp");
870+
if (ipsz < (int) sizeof (struct ip6_hdr))
871+
return NULL; // mal formed.
872+
873+
if (40 + 20 > ipsz)
874+
return NULL;
875+
866876
if (UNFIX (ip6->ip6_plen) > ipsz)
867877
return NULL; /* Invalid packet */
868878

0 commit comments

Comments
 (0)