From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Mon, 3 Dec 2018 16:01:38 +0000 (-0500)
Subject: Merge pull request #1447 in SNORT/snort3 from ~DDAHIPHA/snort3:heap_overflow_fix... 
X-Git-Tag: 3.0.0-250~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34e45355187735477aa06758f148e6d0356ab237;p=thirdparty%2Fsnort3.git

Merge pull request #1447 in SNORT/snort3 from ~DDAHIPHA/snort3:heap_overflow_fix to master

Squashed commit of the following:

commit baa221ddec90f0f3153bfb64bb62c9f5e27fbc02
Author: Devendra Dahiphale <ddahipha@cisco.com>
Date:   Mon Dec 3 09:26:19 2018 -0500

    appid: Fix heap overflow issue for a fuzzed pcap
---

diff --git a/src/network_inspectors/appid/service_plugins/service_ssl.cc b/src/network_inspectors/appid/service_plugins/service_ssl.cc
index bd7ef9491..4ae336d7c 100644
--- a/src/network_inspectors/appid/service_plugins/service_ssl.cc
+++ b/src/network_inspectors/appid/service_plugins/service_ssl.cc
@@ -443,8 +443,12 @@ static void parse_client_initiation(const uint8_t* data, uint16_t size, ServiceS
             return;
         }
 
-        data   += ntohs(ext->length) + offsetof(ServiceSSLV3ExtensionServerName, list_length);
-        length -= ntohs(ext->length) + offsetof(ServiceSSLV3ExtensionServerName, list_length);
+        unsigned len = ntohs(ext->length) + offsetof(ServiceSSLV3ExtensionServerName, list_length);
+        if (len > length)
+            return;
+
+        data += len;
+        length -= len;
     }
 }