diff options
| author | Guy Harris <guy@alum.mit.edu> | 2005-10-04 10:23:40 +0000 |
|---|---|---|
| committer | Guy Harris <guy@alum.mit.edu> | 2005-10-04 10:23:40 +0000 |
| commit | 2a8e47b11a19e61a9df3e7322e54cd0c00dbd25b (patch) | |
| tree | 9cd7888f1053b91641991667ae98a5dbe813787d /epan/dissectors/packet-dcerpc-spoolss.c | |
| parent | 72dd04b43c973bb1f22bedf682909237efed2c1c (diff) | |
| download | wireshark-2a8e47b11a19e61a9df3e7322e54cd0c00dbd25b.tar.gz | |
Don't ensure all the bytes of a security descriptor exist before calling
"dissect_nt_sec_desc()". Add a Boolean argument to
"dissect_nt_sec_desc()" to indicate whether a length was passed to it
(so we don't treat -1 as a special value; we want to stop treating -1 as
a special length value, and, in fact, want to stop treating *any*
negative length values specially, so that we don't have to worry about
passing arbitrary 32-bit values from packets as lengths), and have
"dissect_nt_sec_desc()" initially create the protocol tree item for the
security descriptor with a length of "go to the end of the tvbuff", and
set the length once we're done dissecting it - and, if the length was
specified, check at *that* point, *after* we've dissected the security
descriptor, whether we have the entire security descriptor in the
tvbuff.
That means that we don't have to worry about overflows after
"dissect_nt_sec_desc()" returns - if the length was so large that we
would have gotten an overflow, we'd have thrown an exception in the
"tvb_ensure_bytes_exist()" call at the end of "dissect_nt_sec_desc()".
Do sanity checks on offsets within the security descriptor, so we know
the item referred to by the offset is after the fixed-length portion of
the descriptor.
svn path=/trunk/; revision=16113
Diffstat (limited to 'epan/dissectors/packet-dcerpc-spoolss.c')
| -rw-r--r-- | epan/dissectors/packet-dcerpc-spoolss.c | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/epan/dissectors/packet-dcerpc-spoolss.c b/epan/dissectors/packet-dcerpc-spoolss.c index 42ce9c0b95..9dd5a95538 100644 --- a/epan/dissectors/packet-dcerpc-spoolss.c +++ b/epan/dissectors/packet-dcerpc-spoolss.c @@ -2275,17 +2275,13 @@ static int dissect_PRINTER_INFO_2(tvbuff_t *tvb, int offset, * lacking the "len" argument, so that won't work. */ - /* TODO: I think the length is only used to fix up the hex display - pane. We should be able to use proto_item_set_len() to avoid - having to calculate the length. -tpot */ - offset = dissect_ndr_uint32( tvb, offset, pinfo, NULL, drep, hf_offset, &secdesc_offset); dissect_nt_sec_desc( tvb, secdesc_offset, pinfo, tree, drep, - tvb_length_remaining(tvb, secdesc_offset), + FALSE, -1, &spoolss_printer_access_mask_info); offset = dissect_printer_attributes(tvb, offset, pinfo, tree, drep); @@ -2335,7 +2331,7 @@ static int dissect_PRINTER_INFO_3(tvbuff_t *tvb, int offset, offset = dissect_nt_sec_desc( tvb, offset, pinfo, tree, drep, - tvb_length_remaining(tvb, offset), + FALSE, -1, &spoolss_printer_access_mask_info); return offset; @@ -3413,7 +3409,7 @@ dissect_SEC_DESC_BUF(tvbuff_t *tvb, int offset, packet_info *pinfo, hf_secdescbuf_len, &len); dissect_nt_sec_desc( - tvb, offset, pinfo, subtree, drep, len, + tvb, offset, pinfo, subtree, drep, TRUE, len, &spoolss_printer_access_mask_info); offset += len; @@ -4538,7 +4534,7 @@ dissect_spoolss_JOB_INFO_2(tvbuff_t *tvb, int offset, packet_info *pinfo, dissect_nt_sec_desc( tvb, secdesc_offset, pinfo, subtree, drep, - tvb_length_remaining(tvb, secdesc_offset), + FALSE, -1, &spoolss_job_access_mask_info); offset = dissect_job_status(tvb, offset, pinfo, subtree, drep); |