Fix Heap-buffer-overflow (read) in TcpLayer::isDataValid. Closes sela…

…db#1130 (seladb#1162)
sashashura · Aug 4, 2023 · 0725fa1 · 0725fa1
1 parent 59bb2d1
commit 0725fa1
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/Packet++/header/TLVData.h b/Packet++/header/TLVData.h
@@ -288,18 +288,18 @@ namespace pcpp
 			if (record.isNull())
 				return resRec;
 
-			// record pointer is out-bounds of the TLV records memory
-			if ((record.getRecordBasePtr() - tlvDataBasePtr) < 0)
-				return resRec;
-
-			// record pointer is out-bounds of the TLV records memory
-			if (record.getRecordBasePtr() - tlvDataBasePtr + (int)record.getTotalSize() >= (int)tlvDataLen)
-				return resRec;
-
 			resRec.assign(record.getRecordBasePtr() + record.getTotalSize());
 			if (resRec.getTotalSize() == 0)
 				resRec.assign(NULL);
 
+			// resRec pointer is out-bounds of the TLV records memory
+			if ((resRec.getRecordBasePtr() - tlvDataBasePtr) < 0)
+				resRec.assign(NULL);
+
+			// resRec pointer is out-bounds of the TLV records memory
+			if (!resRec.isNull() && resRec.getRecordBasePtr() + resRec.getTotalSize() > tlvDataBasePtr + tlvDataLen)
+				resRec.assign(NULL);
+
 			return resRec;
 		}