Heap-buffer-overflow in `Flow::dissectMDNS` leading to crash in ntopng 6.2

[cla7aye15I4nd]

Description:

A heap-buffer-overflow vulnerability has been identified in ntopng version 6.2, specifically in the Flow::dissectMDNS function located in Flow.cpp at line 6516. This issue can cause the application to crash, leading to a potential denial-of-service condition.

Affected Version:

• ntopng 6.2

Steps to Reproduce:

1. Build ntopng using the OSS-Fuzz configuration.

2. Run the fuzz_dissect_packet binary with a crafted input that triggers the vulnerability.

3. Observe the heap-buffer-overflow error reported by AddressSanitizer.

Crash Output:

==24560==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5160000005a0 at pc 0x5612f311f101 bp 0x7fff6a23d850 sp 0x7fff6a23d008
READ of size 42 at 0x5160000005a0 thread T0
    #0 0x5612f311f100 in strncpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:604:5
    #1 0x5612f344bbba in Flow::dissectMDNS(unsigned char*, unsigned short) /src/ntopng/src/Flow.cpp:6516:8
    #2 0x5612f334dcf0 in NetworkInterface::processPacket(int, unsigned int, int, bool*, timeval const*, unsigned long, ndpi_ethhdr*, unsigned short, ndpi_iphdr*, ndpi_ipv6hdr*, unsigned short, unsigned short, unsigned int, pcap_pkthdr const*, unsigned char const*, unsigned short*, Host**, Host**, Flow**) /src/ntopng/src/NetworkInterface.cpp:2294:13
    #3 0x5612f335583e in NetworkInterface::dissectPacket(int, unsigned int, int, bool, unsigned char*, pcap_pkthdr const*, unsigned char const*, unsigned short*, Host**, Host**, Flow**) /src/ntopng/src/NetworkInterface.cpp:3004:17
    #4 0x5612f3176a61 in LLVMFuzzerTestOneInput /src/ntopng/fuzz/fuzz_dissect_packet.cpp:200:12
    #5 0x5612f302aa60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #6 0x5612f3015cd5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #7 0x5612f301b76f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #8 0x5612f3046a12 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #9 0x7efc6dd01082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #10 0x5612f300debd in _start (/out/fuzz_dissect_packet+0x309ebd)

0x5160000005a0 is located 0 bytes after 544-byte region [0x516000000380,0x5160000005a0)
allocated by thread T0 here:
    #0 0x5612f313682f in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x5612f35aca3c in pcap_check_header /src/libpcap-1.9.1/./sf-pcap.c:405:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/ntopng/src/Flow.cpp:6516:8 in Flow::dissectMDNS(unsigned char*, unsigned short)

[lucaderi]

Hi thanks for reporting the issue. I think you are using a different source code version as https://github.com/ntop/ntopng/blob/6.2-stable/src/Flow.cpp#L6516 it is unlikely to have the issue you reported.

Can you please attach to this ticket the artefact that has been used to cause the crash ?

[cla7aye15I4nd]

I've attached the PoC in the "Steps to Reproduce" section (item 2), which is a .jpg file (for bypassing the file type limitation of github). I'm currently using the dev branch, and the relevant commit is 3da6cfca6a60733baacf392acf4cd4a6eda83e23. I suspect the version issue you're referring to may stem from an error in the asan symbolizer.

[MatteoBiscosi]

Hi @cla7aye15I4nd could you please share how you started ntopng? (the exact command line)

[cla7aye15I4nd]

Build the OSS docker and enter

python3 oss-fuzz/infra/helper.py build_image --architecture x86_64 ntopng
docker run --rm -it gcr.io/oss-fuzz/ntopng /bin/bash

Compile and reproduce in the container

root@25a6e5d1095d:/src/ntopng# FUZZING_LANGUAGE=c compile
root@25a6e5d1095d:/out# ./fuzz_dissect_packet <your poc path>