CMS: get rid of globals

Get rid of the global content_tvb and object_identifier_id in the CMS dissector, and put them in a packet scoped proto data struct, so that when there's a non fatal exception retrieving the OID we don't use the global value from a previous packet (or worse, file), since what the content_tvb and object_identifier_id pointed to were both packet scoped that could lead to memory access violations. Clear the values of the OID and the content_tvb each time before they are retrieved, so that values from a previous PDU of CMS in the same packet aren't used either. This was not quite as bad as using a value already freed, but still bad. Fix #17800, #17809, #17835
author: John Thacker <johnthacker@gmail.com> 2022-01-06 08:51:54 -0500
committer: A Wireshark GitLab Utility <gerald+gitlab-utility@wireshark.org> 2022-01-07 03:17:07 +0000
commit: c14d731e4580adea858b5745aa89c7975eff8966 (patch)
tree: 428d5b2bed2453ede67356dc11294d6535e1f9ad /epan/dissectors/packet-cms.c
parent: 06bc298fbdbfaf9293371e3229b849a1553b8a79 (diff)
1 files changed, 98 insertions, 56 deletions
diff --git a/epan/dissectors/packet-cms.c b/epan/dissectors/packet-cms.c
index d6e5e1da52..8c96042af6 100644
--- a/epan/dissectors/packet-cms.c
+++ b/epan/dissectors/packet-cms.c
@@ -23,6 +23,7 @@
 #include <epan/packet.h>
 #include <epan/oids.h>
 #include <epan/asn1.h>
+#include <epan/proto_data.h>
 #include <wsutil/wsgcrypt.h>
 
 #include "packet-ber.h"
@@ -222,7 +223,7 @@ static int hf_cms_config_item = -1;               /* CurrentFWConfig */
 static int hf_cms_msgDigest = -1;                 /* OCTET_STRING */
 
 /*--- End of included file: packet-cms-hf.c ---*/
-#line 39 "./asn1/cms/packet-cms-template.c"
+#line 40 "./asn1/cms/packet-cms-template.c"
 
 /* Initialize the subtree pointers */
 
@@ -306,13 +307,14 @@ static gint ett_cms_HardwareModuleName = -1;
 static gint ett_cms_FirmwarePackageMessageDigest = -1;
 
 /*--- End of included file: packet-cms-ett.c ---*/
-#line 42 "./asn1/cms/packet-cms-template.c"
+#line 43 "./asn1/cms/packet-cms-template.c"
 
 static int dissect_cms_OCTET_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_) ; /* XXX kill a compiler warning until asn2wrs stops generating these silly wrappers */
 
-
-static const char *object_identifier_id = NULL;
-static tvbuff_t *content_tvb = NULL;
+struct cms_private_data {
+  const char *object_identifier_id;
+  tvbuff_t *content_tvb;
+};
 
 static proto_tree *top_tree=NULL;
 static proto_tree *cap_tree=NULL;
@@ -330,6 +332,17 @@ static proto_tree *cap_tree=NULL;
 
 unsigned char digest_buf[MAX(HASH_SHA1_LENGTH, HASH_MD5_LENGTH)];
 
+static struct cms_private_data*
+cms_get_private_data(packet_info *pinfo)
+{
+  struct cms_private_data *cms_data = (struct cms_private_data*)p_get_proto_data(pinfo->pool, pinfo, proto_cms, 0);
+  if (!cms_data) {
+    cms_data = wmem_new0(pinfo->pool, struct cms_private_data);
+    p_add_proto_data(pinfo->pool, pinfo, proto_cms, 0, cms_data);
+  }
+  return cms_data;
+}
+
 static void
 cms_verify_msg_digest(proto_item *pi, tvbuff_t *content, const char *alg, tvbuff_t *tvb, int offset)
 {
@@ -373,16 +386,18 @@ cms_verify_msg_digest(proto_item *pi, tvbuff_t *content, const char *alg, tvbuff
 
 int
 dissect_cms_ContentType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 132 "./asn1/cms/cms.cnf"
-  	const char *name = NULL;
+#line 130 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
+  cms_data->object_identifier_id = NULL;
+  const char *name = NULL;
 
-	  offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_index, &object_identifier_id);
+    offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_index, &cms_data->object_identifier_id);
 
 
-	if(object_identifier_id) {
-		name = oid_resolved_from_string(actx->pinfo->pool, object_identifier_id);
-		proto_item_append_text(tree, " (%s)", name ? name : object_identifier_id);
-	}
+  if(cms_data->object_identifier_id) {
+    name = oid_resolved_from_string(actx->pinfo->pool, cms_data->object_identifier_id);
+    proto_item_append_text(tree, " (%s)", name ? name : cms_data->object_identifier_id);
+  }
 
 
 
@@ -394,7 +409,8 @@ dissect_cms_ContentType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
 static int
 dissect_cms_T_content(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
 #line 142 "./asn1/cms/cms.cnf"
-  offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
+  offset=call_ber_oid_callback(cms_data->object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
 
 
 
@@ -416,8 +432,6 @@ dissect_cms_ContentInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
     offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
                                    ContentInfo_sequence, hf_index, ett_cms_ContentInfo);
 
-  content_tvb = NULL;
-  object_identifier_id = NULL;
   top_tree = NULL;
 
 
@@ -471,14 +485,15 @@ dissect_cms_DigestAlgorithmIdentifiers(gboolean implicit_tag _U_, tvbuff_t *tvb
 
 static int
 dissect_cms_T_eContent(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 146 "./asn1/cms/cms.cnf"
+#line 147 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
+  cms_data->content_tvb = NULL;
+  offset = dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &cms_data->content_tvb);
 
-  offset = dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &content_tvb);
+  if(cms_data->content_tvb) {
+    proto_item_set_text(actx->created_item, "eContent (%u bytes)", tvb_reported_length(cms_data->content_tvb));
 
-  if(content_tvb) {
-    proto_item_set_text(actx->created_item, "eContent (%u bytes)", tvb_reported_length (content_tvb));
-
-    call_ber_oid_callback(object_identifier_id, content_tvb, 0, actx->pinfo, top_tree ? top_tree : tree, NULL);
+    call_ber_oid_callback(cms_data->object_identifier_id, cms_data->content_tvb, 0, actx->pinfo, top_tree ? top_tree : tree, NULL);
   }
 
 
@@ -505,15 +520,17 @@ dissect_cms_EncapsulatedContentInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_
 
 static int
 dissect_cms_T_attrType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 176 "./asn1/cms/cms.cnf"
+#line 194 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
+  cms_data->object_identifier_id = NULL;
   const char *name = NULL;
 
-    offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_cms_attrType, &object_identifier_id);
+    offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_cms_attrType, &cms_data->object_identifier_id);
 
 
-  if(object_identifier_id) {
-    name = oid_resolved_from_string(actx->pinfo->pool, object_identifier_id);
-    proto_item_append_text(tree, " (%s)", name ? name : object_identifier_id);
+  if(cms_data->object_identifier_id) {
+    name = oid_resolved_from_string(actx->pinfo->pool, cms_data->object_identifier_id);
+    proto_item_append_text(tree, " (%s)", name ? name : cms_data->object_identifier_id);
   }
 
 
@@ -525,9 +542,10 @@ dissect_cms_T_attrType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
 
 static int
 dissect_cms_AttributeValue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 186 "./asn1/cms/cms.cnf"
+#line 206 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
 
-  offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
+  offset=call_ber_oid_callback(cms_data->object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
 
 
 
@@ -778,7 +796,12 @@ dissect_cms_CertificateSet(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off
 
 static int
 dissect_cms_T_otherRevInfoFormat(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-  offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_index, &object_identifier_id);
+#line 183 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
+  cms_data->object_identifier_id = NULL;
+
+
+  offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_index, &cms_data->object_identifier_id);
 
   return offset;
 }
@@ -787,8 +810,9 @@ dissect_cms_T_otherRevInfoFormat(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, i
 
 static int
 dissect_cms_T_otherRevInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 170 "./asn1/cms/cms.cnf"
-  offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
+#line 187 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
+  offset=call_ber_oid_callback(cms_data->object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
 
 
 
@@ -1115,7 +1139,12 @@ dissect_cms_GeneralizedTime(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int of
 
 static int
 dissect_cms_T_keyAttrId(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-  offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_cms_ci_contentType, &object_identifier_id);
+#line 172 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
+  cms_data->object_identifier_id = NULL;
+
+
+  offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_cms_ci_contentType, &cms_data->object_identifier_id);
 
   return offset;
 }
@@ -1124,8 +1153,10 @@ dissect_cms_T_keyAttrId(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
 
 static int
 dissect_cms_T_keyAttr(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 165 "./asn1/cms/cms.cnf"
-  offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
+#line 176 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
+  offset=call_ber_oid_callback(cms_data->object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
+
 
 
   return offset;
@@ -1303,7 +1334,12 @@ dissect_cms_PasswordRecipientInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
 
 static int
 dissect_cms_T_oriType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-  offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_index, &object_identifier_id);
+#line 161 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
+  cms_data->object_identifier_id = NULL;
+
+
+  offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_index, &cms_data->object_identifier_id);
 
   return offset;
 }
@@ -1312,8 +1348,9 @@ dissect_cms_T_oriType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _
 
 static int
 dissect_cms_T_oriValue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 159 "./asn1/cms/cms.cnf"
-  offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
+#line 165 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
+  offset=call_ber_oid_callback(cms_data->object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
 
 
 
@@ -1389,18 +1426,19 @@ dissect_cms_ContentEncryptionAlgorithmIdentifier(gboolean implicit_tag _U_, tvbu
 
 static int
 dissect_cms_EncryptedContent(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 236 "./asn1/cms/cms.cnf"
+#line 261 "./asn1/cms/cms.cnf"
 	tvbuff_t *encrypted_tvb;
 	proto_item *item;
 
   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
                                        &encrypted_tvb);
 
-#line 241 "./asn1/cms/cms.cnf"
+#line 266 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
 
-	item = actx->created_item;
+  item = actx->created_item;
 
-	PBE_decrypt_data(object_identifier_id, encrypted_tvb, actx->pinfo, actx, item);
+  PBE_decrypt_data(cms_data->object_identifier_id, encrypted_tvb, actx->pinfo, actx, item);
 
 
   return offset;
@@ -1554,7 +1592,8 @@ dissect_cms_AuthenticatedData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int
 
 static int
 dissect_cms_MessageDigest(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 190 "./asn1/cms/cms.cnf"
+#line 211 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
   proto_item *pi;
   int old_offset = offset;
 
@@ -1568,8 +1607,8 @@ dissect_cms_MessageDigest(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offs
   old_offset = get_ber_identifier(tvb, old_offset, NULL, NULL, NULL);
   old_offset = get_ber_length(tvb, old_offset, NULL, NULL);
 
-  if(content_tvb)
-    cms_verify_msg_digest(pi, content_tvb, x509af_get_last_algorithm_id(), tvb, old_offset);
+  if(cms_data->content_tvb)
+    cms_verify_msg_digest(pi, cms_data->content_tvb, x509af_get_last_algorithm_id(), tvb, old_offset);
 
 
 
@@ -1638,7 +1677,7 @@ dissect_cms_KeyWrapAlgorithm(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o
 
 static int
 dissect_cms_RC2ParameterVersion(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 226 "./asn1/cms/cms.cnf"
+#line 251 "./asn1/cms/cms.cnf"
   guint32 length = 0;
 
     offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
@@ -1716,15 +1755,17 @@ dissect_cms_DigestInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
 
 static int
 dissect_cms_T_capability(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 208 "./asn1/cms/cms.cnf"
+#line 230 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
+  cms_data->object_identifier_id = NULL;
   const char *name = NULL;
 
-    offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_cms_attrType, &object_identifier_id);
+    offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_cms_attrType, &cms_data->object_identifier_id);
 
 
-  if(object_identifier_id) {
-    name = oid_resolved_from_string(actx->pinfo->pool, object_identifier_id);
-    proto_item_append_text(tree, " %s", name ? name : object_identifier_id);
+  if(cms_data->object_identifier_id) {
+    name = oid_resolved_from_string(actx->pinfo->pool, cms_data->object_identifier_id);
+    proto_item_append_text(tree, " %s", name ? name : cms_data->object_identifier_id);
     cap_tree = tree;
   }
 
@@ -1737,9 +1778,10 @@ dissect_cms_T_capability(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse
 
 static int
 dissect_cms_T_parameters(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 219 "./asn1/cms/cms.cnf"
+#line 243 "./asn1/cms/cms.cnf"
+  struct cms_private_data *cms_data = cms_get_private_data(actx->pinfo);
 
-  offset=call_ber_oid_callback(object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
+  offset=call_ber_oid_callback(cms_data->object_identifier_id, tvb, offset, actx->pinfo, tree, NULL);
 
 
 
@@ -2523,7 +2565,7 @@ static int dissect_FirmwarePackageMessageDigest_PDU(tvbuff_t *tvb _U_, packet_in
 
 
 /*--- End of included file: packet-cms-fn.c ---*/
-#line 102 "./asn1/cms/packet-cms-template.c"
+#line 115 "./asn1/cms/packet-cms-template.c"
 
 /*--- proto_register_cms ----------------------------------------------*/
 void proto_register_cms(void) {
@@ -3235,7 +3277,7 @@ void proto_register_cms(void) {
         "OCTET_STRING", HFILL }},
 
 /*--- End of included file: packet-cms-hfarr.c ---*/
-#line 113 "./asn1/cms/packet-cms-template.c"
+#line 126 "./asn1/cms/packet-cms-template.c"
   };
 
   /* List of subtrees */
@@ -3321,7 +3363,7 @@ void proto_register_cms(void) {
     &ett_cms_FirmwarePackageMessageDigest,
 
 /*--- End of included file: packet-cms-ettarr.c ---*/
-#line 118 "./asn1/cms/packet-cms-template.c"
+#line 131 "./asn1/cms/packet-cms-template.c"
   };
 
   /* Register protocol */
@@ -3397,7 +3439,7 @@ void proto_reg_handoff_cms(void) {
 
 
 /*--- End of included file: packet-cms-dis-tab.c ---*/
-#line 141 "./asn1/cms/packet-cms-template.c"
+#line 154 "./asn1/cms/packet-cms-template.c"
 
   /* RFC 3370 [CMS-ASN} section 4.3.1 */
   register_ber_oid_dissector("1.2.840.113549.1.9.16.3.6", dissect_ber_oid_NULL_callback, proto_cms, "id-alg-CMS3DESwrap");
author	John Thacker <johnthacker@gmail.com>	2022-01-06 08:51:54 -0500
committer	A Wireshark GitLab Utility <gerald+gitlab-utility@wireshark.org>	2022-01-07 03:17:07 +0000
commit	c14d731e4580adea858b5745aa89c7975eff8966 (patch)
tree	428d5b2bed2453ede67356dc11294d6535e1f9ad /epan/dissectors/packet-cms.c
parent	06bc298fbdbfaf9293371e3229b849a1553b8a79 (diff)