diff options
author | Anthony Coddington <anthony.coddington@endace.com> | 2016-05-05 19:40:57 +1200 |
---|---|---|
committer | Michael Mann <mmann78@netscape.net> | 2016-05-22 12:45:12 +0000 |
commit | 546f5aa31ba2b2733a4c1c7b62544c9b660f5726 (patch) | |
tree | 9c3775e34b5975eee14ca426dd6d4daad3b7ea3e /wiretap/erf.c | |
parent | 6d0738f206474718b379427d3bf712c2b389be16 (diff) | |
download | wireshark-546f5aa31ba2b2733a4c1c7b62544c9b660f5726.tar.gz |
ERF: Fix and improve ERF_TYPE_META sanity checks
Fix sanity checking overflow in wiretap ERF_TYPE_META parsing segfault.
Fix final tag of exactly 4 bytes not being dissected.
Fix not setting bitfield tag subtree (was working due to proto.c internal behaviour).
Add dissector expertinfo for truncated tags. Dissect type and length on error.
Bug: 12352
Change-Id: I3fe6644f369e4d6f1f64270cb83c8d0f8a1f1a94
Reviewed-on: https://code.wireshark.org/review/15357
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'wiretap/erf.c')
-rw-r--r-- | wiretap/erf.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/wiretap/erf.c b/wiretap/erf.c index d51f8f2c4c..beb0fdecea 100644 --- a/wiretap/erf.c +++ b/wiretap/erf.c @@ -88,7 +88,7 @@ static const struct { #define NUM_ERF_ENCAPS (sizeof erf_to_wtap_map / sizeof erf_to_wtap_map[0]) #define ERF_META_TAG_HEADERLEN 4 -#define ERF_META_TAG_ALIGNED_LENGTH(taglength) (((taglength + 0x3) &~0x3) + ERF_META_TAG_HEADERLEN) +#define ERF_META_TAG_ALIGNED_LENGTH(taglength) ((((guint32)taglength + 0x3U) & ~0x3U) + ERF_META_TAG_HEADERLEN) struct erf_if_info { int if_index; @@ -1236,6 +1236,7 @@ static guint32 erf_meta_read_tag(struct erf_meta_tag* tag, guint8 *tag_ptr, guin { guint16 tagtype; guint16 taglength; + guint32 tagtotallength; if (!tag_ptr || !tag || remaining_len < ERF_META_TAG_HEADERLEN) return 0; @@ -1246,7 +1247,9 @@ static guint32 erf_meta_read_tag(struct erf_meta_tag* tag, guint8 *tag_ptr, guin /* length (2 bytes) */ taglength = pntoh16(&tag_ptr[2]); - if (remaining_len < (guint16) ERF_META_TAG_ALIGNED_LENGTH(taglength)) { + tagtotallength = ERF_META_TAG_ALIGNED_LENGTH(taglength); + + if (remaining_len < tagtotallength) { return 0; } @@ -1254,7 +1257,7 @@ static guint32 erf_meta_read_tag(struct erf_meta_tag* tag, guint8 *tag_ptr, guin tag->length = taglength; tag->value = &tag_ptr[4]; - return ERF_META_TAG_ALIGNED_LENGTH(tag->length); + return tagtotallength; } static int populate_capture_host_info(erf_t *erf_priv, wtap *wth, union wtap_pseudo_header *pseudo_header _U_, struct erf_meta_read_state *state) |