diff options
author | Evan Huus <eapache@gmail.com> | 2014-01-21 18:48:01 +0000 |
---|---|---|
committer | Evan Huus <eapache@gmail.com> | 2014-01-21 18:48:01 +0000 |
commit | f4ab2b2b004bc46eb91607dbc8146e388d4e6f2a (patch) | |
tree | 6bc63fd1199948028208f0f1e1bf544ca45dfc0e /epan/dissectors/packet-nfs.c | |
parent | 4d9475e4ef71951d60120746f8bb130d3918f015 (diff) |
Harden nfs_name_snoop_add_name against various malformed inputs. Thanks to Moshe
Kaplan for the report.
Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9672 and some
other cases in the same vein.
svn path=/trunk/; revision=54875
Diffstat (limited to 'epan/dissectors/packet-nfs.c')
-rw-r--r-- | epan/dissectors/packet-nfs.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/epan/dissectors/packet-nfs.c b/epan/dissectors/packet-nfs.c index c4641192ec..b2a29ee724 100644 --- a/epan/dissectors/packet-nfs.c +++ b/epan/dissectors/packet-nfs.c @@ -965,6 +965,13 @@ nfs_name_snoop_add_name(int xid, tvbuff_t *tvb, int name_offset, int name_len, i nfs_name_snoop_t *nns, *old_nns; const char *ptr; + if (name_len <= 0) { + /* Do we need some way to signal an error here? This could be + * programmatic or just a corrupt packet, depending on the + * caller... */ + return; + } + /* filter out all '.' and '..' names */ if (!name) { ptr = (const char *)tvb_get_ptr(tvb, name_offset, name_len); @@ -972,17 +979,17 @@ nfs_name_snoop_add_name(int xid, tvbuff_t *tvb, int name_offset, int name_len, i ptr = name; } if (ptr[0] == '.') { - if (ptr[1] == 0) { + if (name_len <= 1 || ptr[1] == 0) { return; } if (ptr[1] == '.') { - if (ptr[2] == 0) { + if (name_len <= 2 || ptr[2] == 0) { return; } } } - nns = (nfs_name_snoop_t *)g_malloc(sizeof(nfs_name_snoop_t)); + nns = g_new(nfs_name_snoop_t, 1); nns->fh_length = 0; nns->fh = NULL; |