aboutsummaryrefslogtreecommitdiffstats
path: root/epan/dissectors/packet-afp.c
diff options
context:
space:
mode:
authorGerald Combs <gerald@wireshark.org>2012-08-07 23:06:29 +0000
committerGerald Combs <gerald@wireshark.org>2012-08-07 23:06:29 +0000
commit5bdeb03b83c13d67c68805c817534b2333f29a42 (patch)
tree0544e3d991288a197b7125215200d242bf76e921 /epan/dissectors/packet-afp.c
parent9fd94df70fe96f7ac030c50a7bbb5d4ee7cfb44a (diff)
Fix a large loop found by Stefan Cornelius of Red Hat Security Response
Team (bug 7603). Display the ACL entry count as decimal instead of hexadecimal. svn path=/trunk/; revision=44317
Diffstat (limited to 'epan/dissectors/packet-afp.c')
-rw-r--r--epan/dissectors/packet-afp.c20
1 files changed, 13 insertions, 7 deletions
diff --git a/epan/dissectors/packet-afp.c b/epan/dissectors/packet-afp.c
index 9ff972cf63..89878931f5 100644
--- a/epan/dissectors/packet-afp.c
+++ b/epan/dissectors/packet-afp.c
@@ -4664,8 +4664,9 @@ decode_kauth_ace(tvbuff_t *tvb, proto_tree *tree, gint offset)
return offset;
}
+#define AFP_MAX_ACL_ENTRIES 500 /* Arbitrary. */
static gint
-decode_kauth_acl(tvbuff_t *tvb, proto_tree *tree, gint offset)
+decode_kauth_acl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset)
{
int entries;
int i;
@@ -4680,9 +4681,14 @@ decode_kauth_acl(tvbuff_t *tvb, proto_tree *tree, gint offset)
sub_tree = proto_item_add_subtree(item, ett_afp_ace_entries);
offset += 4;
- proto_tree_add_item(tree, hf_afp_acl_flags, tvb, offset, 4, ENC_BIG_ENDIAN);
+ item = proto_tree_add_item(tree, hf_afp_acl_flags, tvb, offset, 4, ENC_BIG_ENDIAN);
offset += 4;
+ if (entries > AFP_MAX_ACL_ENTRIES) {
+ expert_add_info_format(pinfo, item, PI_UNDECODED, PI_WARN, "Excessive number of ACL entries (%u). Stopping dissection.", entries);
+ THROW(ReportedBoundsError);
+ }
+
for (i = 0; i < entries; i++) {
item = proto_tree_add_text(sub_tree, tvb, offset, 24, "ACE: %u", i);
ace_tree = proto_item_add_subtree(item, ett_afp_ace_entry);
@@ -4694,7 +4700,7 @@ decode_kauth_acl(tvbuff_t *tvb, proto_tree *tree, gint offset)
}
static gint
-decode_uuid_acl(tvbuff_t *tvb, proto_tree *tree, gint offset, guint16 bitmap)
+decode_uuid_acl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset, guint16 bitmap)
{
if ((offset & 1))
PAD(1);
@@ -4710,7 +4716,7 @@ decode_uuid_acl(tvbuff_t *tvb, proto_tree *tree, gint offset, guint16 bitmap)
}
if ((bitmap & kFileSec_ACL)) {
- offset = decode_kauth_acl(tvb, tree, offset);
+ offset = decode_kauth_acl(tvb, pinfo, tree, offset);
}
return offset;
@@ -4730,7 +4736,7 @@ dissect_query_afp_set_acl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, g
offset = decode_name(tree, pinfo, tvb, offset);
- offset = decode_uuid_acl(tvb, tree, offset, bitmap);
+ offset = decode_uuid_acl(tvb, pinfo, tree, offset, bitmap);
return offset;
}
@@ -4762,7 +4768,7 @@ dissect_reply_afp_get_acl(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tre
bitmap = decode_acl_list_bitmap(tvb, tree, offset);
offset += 2;
- offset = decode_uuid_acl(tvb, tree, offset, bitmap);
+ offset = decode_uuid_acl(tvb, pinfo, tree, offset, bitmap);
return offset;
}
@@ -6544,7 +6550,7 @@ proto_register_afp(void)
{ &hf_afp_acl_entrycount,
{ "ACEs count", "afp.acl_entrycount",
- FT_UINT32, BASE_HEX, NULL, 0,
+ FT_UINT32, BASE_DEC, NULL, 0,
"Number of ACL entries", HFILL }},
{ &hf_afp_acl_flags,
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-26 15:41:05 +0000