diff options
author | Jeff Morriss <jeff.morriss@ulticom.com> | 2009-10-03 03:09:53 +0000 |
---|---|---|
committer | Jeff Morriss <jeff.morriss@ulticom.com> | 2009-10-03 03:09:53 +0000 |
commit | c8df8a78acb970ba4807c05de9627c84913e89e7 (patch) | |
tree | faa030c11c1c1961d02e61ed66ab23e426e227ba /epan/req_resp_hdrs.c | |
parent | b70ee1705d0a3c77ba96d2d6ef2cbf08df054cb4 (diff) | |
download | wireshark-c8df8a78acb970ba4807c05de9627c84913e89e7.tar.gz |
Since chunk_size is now unsigned, check to ensure that it is not "too big."
(Prior to rev 30233 there was a check to make sure it was not negative. This
effectively puts that same check back in.)
Fixes the fuzz failure seen in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4083
svn path=/trunk/; revision=30260
Diffstat (limited to 'epan/req_resp_hdrs.c')
-rw-r--r-- | epan/req_resp_hdrs.c | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/epan/req_resp_hdrs.c b/epan/req_resp_hdrs.c index 787371921a..7c6588e2fe 100644 --- a/epan/req_resp_hdrs.c +++ b/epan/req_resp_hdrs.c @@ -130,8 +130,8 @@ req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo, pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return FALSE; - } - + } + if (linelen == 0) { /* * We found the end of the headers. @@ -286,7 +286,7 @@ req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo, pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return FALSE; } - + /* We have a line with the chunk size in it.*/ chunk_string = tvb_get_ephemeral_string(tvb, next_offset, linelen); @@ -305,6 +305,11 @@ req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo, */ return TRUE; } + if (chunk_size > 2<<31) { + /* Chunk size is unreasonable. */ + /* XXX What /is/ reasonable? */ + return TRUE; + } if (chunk_size == 0) { /* @@ -313,7 +318,7 @@ req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo, */ linelen = tvb_find_line_end(tvb, chunk_offset, -1, &chunk_offset, TRUE); - + if (linelen == -1 && length_remaining >= reported_length_remaining) { @@ -326,20 +331,20 @@ req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo, pinfo->desegment_len = 0; done_chunking = TRUE; } else { - /* + /* * Skip to the next chunk if we - * already have it + * already have it */ if (reported_length_remaining > (gint) chunk_size) { - - next_offset = chunk_offset + + next_offset = chunk_offset + chunk_size + 2; } else { - /* + /* * Fetch this chunk, plus the * trailing CRLF. - */ + */ pinfo->desegment_offset = offset; pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; return FALSE; |