diff options
| author | Peter Wu <peter@lekensteyn.nl> | 2016-01-09 13:21:28 +0100 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2016-01-15 08:28:20 +0000 |
| commit | 6ef2b48dbe280bdc2c2e8559556a426a9ae44b0d (patch) | |
| tree | 8fe2eb2285f8b483844160cb74e70952daa42ebc | |
| parent | cefd1d4910a31f71ddab6cc4b4c5d5a8f7ffe91e (diff) | |
| download | wireshark-6ef2b48dbe280bdc2c2e8559556a426a9ae44b0d.tar.gz | |
uaudp: fix buffer overrun while reading pref
Drop the custom str_to_addr_ip, it overruns the buffer with at most 3
bytes when an empty string is passed. Remove sizeof(guint8) while at it,
the C standard requires this to be 1.
Avoid overwriting uaudp.system_ip to avoid an invalid free of the
preference.
Change-Id: I39cb0a35364f2ecd32b780fcb7c0253bd866f329
Reviewed-on: https://code.wireshark.org/review/13145
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
| -rw-r--r-- | epan/dissectors/packet-uaudp.c | 56 |
1 files changed, 17 insertions, 39 deletions
diff --git a/epan/dissectors/packet-uaudp.c b/epan/dissectors/packet-uaudp.c index 158b6137bd..047d497268 100644 --- a/epan/dissectors/packet-uaudp.c +++ b/epan/dissectors/packet-uaudp.c @@ -25,6 +25,15 @@ #include "epan/packet.h" #include "epan/prefs.h" +#include "wsutil/report_err.h" + +#ifdef HAVE_ARPA_INET_H +#include <arpa/inet.h> +#endif +#ifdef HAVE_WINSOCK2_H +# include <winsock2.h> /* Needed for AF_INET on Windows */ +#endif +#include "wsutil/inet_v6defs.h" #include "packet-uaudp.h" @@ -357,12 +366,12 @@ static int dissect_uaudp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, vo /* server address, if present, has precedence on ports */ if (use_sys_ip) { /* use server address to find direction*/ - if (memcmp((pinfo->src).data, sys_ip, 4*sizeof(guint8)) == 0) + if (memcmp((pinfo->src).data, sys_ip, 4) == 0) { _dissect_uaudp(tvb, pinfo, tree, SYS_TO_TERM); return tvb_captured_length(tvb); } - else if (memcmp((pinfo->dst).data, sys_ip, 4*sizeof(guint8)) == 0) + else if (memcmp((pinfo->dst).data, sys_ip, 4) == 0) { _dissect_uaudp(tvb, pinfo, tree, TERM_TO_SYS); return tvb_captured_length(tvb); @@ -385,35 +394,6 @@ static int dissect_uaudp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, vo return tvb_captured_length(tvb); } -/* XXX: Presumably there's a util fcn for this ... */ -static gboolean str_to_addr_ip(const gchar *addr, guint8 *ad) -{ - int i; - const gchar *p = addr; - guint32 value; - - if (addr == NULL) - return FALSE; - - for (i=0; i<4; i++) - { - value = 0; - while (*p != '.' && *p != '\0') - { - value = value * 10 + (*p - '0'); - p++; - } - if (value > 255) - { - return FALSE; - } - ad[i] = value; - p++; - } - - return TRUE; -} - /* Register the protocol with Wireshark */ void proto_reg_handoff_uaudp(void); @@ -657,14 +637,12 @@ void proto_reg_handoff_uaudp(void) if (ports[i].last_port) dissector_delete_uint("udp.port", ports[i].last_port, uaudp_handle); } - if (str_to_addr_ip(pref_sys_ip_s, sys_ip)) - { - use_sys_ip = TRUE; - } - else - { - use_sys_ip = FALSE; - pref_sys_ip_s = ""; + if (*pref_sys_ip_s) { + use_sys_ip = inet_pton(AF_INET, pref_sys_ip_s, sys_ip) == 1; + if (!use_sys_ip) { + report_failure("Invalid value for pref uaudp.system_ip: %s", + pref_sys_ip_s); + } } } |