diff options
| author | Michael Mann <mmann78@netscape.net> | 2016-03-18 21:06:51 -0400 |
|---|---|---|
| committer | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2016-03-20 14:03:57 +0000 |
| commit | 4cdc9eeba58f866bd5f273e9c5b3876857a7a4bf (patch) | |
| tree | 45ee45f877bd9222b585e2dc354f57974010b3d8 | |
| parent | 92db934c7c4473ab97883c95b920b027f89f4b8d (diff) | |
PKTC must be stricter with its Kerberos application choices.
The PKTC dissector calls the Kerberos dissector assuming certain application values. Because different application values can have different "private" data, corruption can occur.
Ensure the Kerberos application values match the preceding comments by checking the ber identifier before calling the Kerberos dissector.
Bug: 12206
Change-Id: I9b04837f93a56681cae3816278315cf01da17544
Reviewed-on: https://code.wireshark.org/review/14520
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
| -rw-r--r-- | epan/dissectors/packet-pktc.c | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/epan/dissectors/packet-pktc.c b/epan/dissectors/packet-pktc.c index 06a217b5f8..210b30873d 100644 --- a/epan/dissectors/packet-pktc.c +++ b/epan/dissectors/packet-pktc.c @@ -36,6 +36,7 @@ #include <epan/to_str.h> #include <epan/asn1.h> #include "packet-pktc.h" +#include "packet-ber.h" #include "packet-kerberos.h" #include "packet-snmp.h" @@ -95,6 +96,7 @@ static gint ett_pktc_mtafqdn = -1; static expert_field ei_pktc_unknown_kmmid = EI_INIT; static expert_field ei_pktc_unknown_doi = EI_INIT; +static expert_field ei_pktc_unknown_kerberos_application = EI_INIT; #define KMMID_WAKEUP 0x01 #define KMMID_AP_REQUEST 0x02 @@ -548,6 +550,9 @@ dissect_pktc_mtafqdn(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* proto_tree *pktc_mtafqdn_tree; proto_item *item; tvbuff_t *pktc_mtafqdn_tvb; + gint8 ber_class; + gboolean pc; + gint32 tag; col_set_str(pinfo->cinfo, COL_PROTOCOL, "PKTC"); @@ -559,11 +564,22 @@ dissect_pktc_mtafqdn(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* /* KRB_AP_RE[QP] */ pktc_mtafqdn_tvb = tvb_new_subset_remaining(tvb, offset); - offset += dissect_kerberos_main(pktc_mtafqdn_tvb, pinfo, pktc_mtafqdn_tree, FALSE, NULL); + get_ber_identifier(pktc_mtafqdn_tvb, 0, &ber_class, &pc, &tag); + if ((tag == 10) || (tag == 11)) { + offset += dissect_kerberos_main(pktc_mtafqdn_tvb, pinfo, pktc_mtafqdn_tree, FALSE, NULL); + } else { + expert_add_info_format(pinfo, item, &ei_pktc_unknown_kerberos_application, "Unknown Kerberos application (%d), expected 10 or 11", tag); + return tvb_captured_length(tvb); + } /* KRB_SAFE */ pktc_mtafqdn_tvb = tvb_new_subset_remaining(tvb, offset); - offset += dissect_kerberos_main(pktc_mtafqdn_tvb, pinfo, pktc_mtafqdn_tree, FALSE, cb); + get_ber_identifier(pktc_mtafqdn_tvb, 0, &ber_class, &pc, &tag); + if (tag == 20) { + offset += dissect_kerberos_main(pktc_mtafqdn_tvb, pinfo, pktc_mtafqdn_tree, FALSE, cb); + } else { + expert_add_info_format(pinfo, item, &ei_pktc_unknown_kerberos_application, "Unknown Kerberos application (%d), expected 20", tag); + } proto_item_set_len(item, offset); return tvb_captured_length(tvb); @@ -776,6 +792,7 @@ proto_register_pktc_mtafqdn(void) static ei_register_info ei[] = { { &ei_pktc_unknown_kmmid, { "pktc.mtafqdn.unknown_kmmid", PI_PROTOCOL, PI_WARN, "Unknown KMMID", EXPFILL }}, { &ei_pktc_unknown_doi, { "pktc.mtafqdn.unknown_doi", PI_PROTOCOL, PI_WARN, "Unknown DOI", EXPFILL }}, + { &ei_pktc_unknown_kerberos_application, { "pktc.mtafqdn.unknown_kerberos_application", PI_PROTOCOL, PI_WARN, "Unknown Kerberos application", EXPFILL }}, }; expert_module_t* expert_pktc; |