From ecee2ace1cafc94f69c6dbb3a51bbb12b1f870b8 Mon Sep 17 00:00:00 2001 From: Gabriel Ganne Date: Wed, 6 Mar 2019 14:31:08 +0100 Subject: [PATCH 1/2] fix NULL pointer dereference get_ipv6_l4proto() get_ipv6_next() returns NULL on malformed packets. If that happens return the last proto that could be read. This should fix issue #537 --- src/common/get.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/common/get.c b/src/common/get.c index e6304289c..081a67ac6 100644 --- a/src/common/get.c +++ b/src/common/get.c @@ -536,6 +536,8 @@ get_ipv6_l4proto(const ipv6_hdr_t *ip6_hdr, int len) case TCPR_IPV6_NH_HBH: dbgx(3, "Jumping to next extension header (0x%hhx)", proto); exthdr = get_ipv6_next((struct tcpr_ipv6_ext_hdr_base *)ptr, len); + if (exthdr == NULL) + return proto; proto = exthdr->ip_nh; ptr = (u_char *)exthdr; break; From 5d6f191d35dbc3b4be60abdf1c05fe8f8cf515bd Mon Sep 17 00:00:00 2001 From: Gabriel Ganne Date: Wed, 6 Mar 2019 14:15:56 +0100 Subject: [PATCH 2/2] fix NULL pointer dereference in get_layer4_v6() get_ipv6_next() returns NULL on malformed packets. If that happens return the last header that could be read. This should fix issue #536 --- src/common/get.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/common/get.c b/src/common/get.c index 081a67ac6..9e730cf66 100644 --- a/src/common/get.c +++ b/src/common/get.c @@ -407,6 +407,8 @@ get_layer4_v6(const ipv6_hdr_t *ip6_hdr, const int len) dbgx(3, "Going deeper due to extension header 0x%02X", proto); maxlen = len - (int)((u_char *)ip6_hdr - (u_char *)next); exthdr = get_ipv6_next(next, maxlen); + if (exthdr == NULL) + return next; proto = exthdr->ip_nh; next = exthdr; break;