Define a maximum OID string length, and use it in a lot of places. Fixes a

buffer overflow found while fuzz testing.

svn path=/trunk/; revision=14169

13 files changed, 20 insertions, 18 deletions

diff --git a/epan/dissectors/packet-ber.c b/epan/dissectors/packet-ber.c
index f90617b96c..69cec54361 100644
--- a/epan/dissectors/packet-ber.c
+++ b/epan/dissectors/packet-ber.c
@@ -1,4 +1,4 @@
-/*#define DEBUG_BER 1*/
+/* #define DEBUG_BER 1 */
 /* TODO: change #.REGISTER signature to new_dissector_t and
  * update call_ber_oid_callback() accordingly.
  */
@@ -1185,7 +1185,7 @@ int dissect_ber_object_identifier(gboolean implicit_tag, packet_info *pinfo, pro
 	int eoffset;
 	guint8 byte;
 	guint32 value;
-	char str[256],*strp, *name;
+	char str[BER_MAX_OID_STR_LEN],*strp, *name;
 	proto_item *item;
 
 #ifdef DEBUG_BER
@@ -1231,8 +1231,8 @@ printf("OBJECT IDENTIFIER dissect_ber_object_identifier(%s) entered\n",name);
 		byte = tvb_get_guint8(tvb, offset);
 		offset++;
 
-		if((strp-str)>200){
-    	    proto_tree_add_text(tree, tvb, offset, eoffset - offset, "BER Error: too long Object Identifier");
+		if((strp-str) > BER_MAX_OID_STR_LEN - 10) { /* 3 digits + '.' + 3 digits + '\0' + slop */
+    	    proto_tree_add_text(tree, tvb, offset, eoffset - offset, "BER Error: too long Object Identifier (%d bytes)", strp-str);
 			return offset;
 		}
 
diff --git a/epan/dissectors/packet-ber.h b/epan/dissectors/packet-ber.h
index ecefef4337..2a65ca336d 100644
--- a/epan/dissectors/packet-ber.h
+++ b/epan/dissectors/packet-ber.h
@@ -71,6 +71,8 @@ typedef int (*ber_callback)(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb,
 #define BER_UNI_TAG_CHARACTERSTRING	    29
 #define BER_UNI_TAG_BMPString		    30
 
+#define BER_MAX_OID_STR_LEN 256
+
 /* this function dissects the identifier octer of the BER TLV.
  * We only handle TAGs (and LENGTHs) that fit inside 32 bit integers.
  */
diff --git a/epan/dissectors/packet-cmip.c b/epan/dissectors/packet-cmip.c
index 6d06fd4682..f82576a351 100644
--- a/epan/dissectors/packet-cmip.c
+++ b/epan/dissectors/packet-cmip.c
@@ -280,14 +280,14 @@ static int opcode_type;
 static int attributeform;
 #define ATTRIBUTE_LOCAL_FORM  0
 #define ATTRIBUTE_GLOBAL_FORM 1
-static char attribute_identifier_id[64]; /*64 chars should be long enough? */
+static char attribute_identifier_id[BER_MAX_OID_STR_LEN];
 
-static char object_identifier_id[64]; /*64 chars should be long enough? */
+static char object_identifier_id[BER_MAX_OID_STR_LEN];
 
 static int objectclassform;
 #define OBJECTCLASS_LOCAL_FORM  0
 #define OBJECTCLASS_GLOBAL_FORM 1
-static char objectclass_identifier_id[64]; /*64 chars should be long enough? */
+static char objectclass_identifier_id[BER_MAX_OID_STR_LEN];
 
 
 /*--- Included file: packet-cmip-fn.c ---*/
diff --git a/epan/dissectors/packet-cmp.c b/epan/dissectors/packet-cmp.c
index 2db510befb..c39f53f237 100644
--- a/epan/dissectors/packet-cmp.c
+++ b/epan/dissectors/packet-cmp.c
@@ -214,7 +214,7 @@ static gint ett_cmp_ErrorMsgContent = -1;
 /*--- End of included file: packet-cmp-ett.c ---*/
 
 
-static char object_identifier_id[64]; /*64 chars should be long enough? */
+static char object_identifier_id[BER_MAX_OID_STR_LEN];
 
 
 
diff --git a/epan/dissectors/packet-cms.c b/epan/dissectors/packet-cms.c
index 02aece5548..4e5fe33a6f 100644
--- a/epan/dissectors/packet-cms.c
+++ b/epan/dissectors/packet-cms.c
@@ -186,7 +186,7 @@ static gint ett_cms_ExtendedCertificateInfo = -1;
 static int dissect_cms_OCTET_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, int hf_index _U_) ; /* XXX kill a compiler warning until asn2eth stops generating these silly wrappers */
 
 
-static char object_identifier_id[64]; /*64 chars should be long enough? */
+static char object_identifier_id[BER_MAX_OID_STR_LEN];
 
 
 /*--- Included file: packet-cms-fn.c ---*/
diff --git a/epan/dissectors/packet-crmf.c b/epan/dissectors/packet-crmf.c
index 6c1a047741..f1e8cb0d5c 100644
--- a/epan/dissectors/packet-crmf.c
+++ b/epan/dissectors/packet-crmf.c
@@ -153,7 +153,7 @@ static gint ett_crmf_CertId = -1;
 /*--- End of included file: packet-crmf-ett.c ---*/
 
 
-static char object_identifier_id[64]; /*64 chars should be long enough? */
+static char object_identifier_id[BER_MAX_OID_STR_LEN];
 
 
 /*--- Included file: packet-crmf-fn.c ---*/
diff --git a/epan/dissectors/packet-ess.c b/epan/dissectors/packet-ess.c
index a4681c6357..070d394e58 100644
--- a/epan/dissectors/packet-ess.c
+++ b/epan/dissectors/packet-ess.c
@@ -129,7 +129,7 @@ static gint ett_ess_IssuerSerial = -1;
 /*--- End of included file: packet-ess-ett.c ---*/
 
 
-static char object_identifier_id[64]; /*64 chars should be long enough? */
+static char object_identifier_id[BER_MAX_OID_STR_LEN];
 
 
 /*--- Included file: packet-ess-fn.c ---*/
diff --git a/epan/dissectors/packet-ocsp.c b/epan/dissectors/packet-ocsp.c
index 70f7794382..fb4144f251 100644
--- a/epan/dissectors/packet-ocsp.c
+++ b/epan/dissectors/packet-ocsp.c
@@ -139,7 +139,7 @@ static gint ett_ocsp_CrlID = -1;
 /*--- End of included file: packet-ocsp-ett.c ---*/
 
 
-static char responseType_id[64]; /*64 chars should be long enough? */
+static char responseType_id[BER_MAX_OID_STR_LEN];
 
 
 
diff --git a/epan/dissectors/packet-pkix1explicit.c b/epan/dissectors/packet-pkix1explicit.c
index 6cfa0a555e..7d114b928b 100644
--- a/epan/dissectors/packet-pkix1explicit.c
+++ b/epan/dissectors/packet-pkix1explicit.c
@@ -98,7 +98,7 @@ static gint ett_pkix1explicit_TeletexDomainDefinedAttribute = -1;
 
 
 
-static char object_identifier_id[64]; /*64 chars should be long enough? */
+static char object_identifier_id[BER_MAX_OID_STR_LEN];
 
 int
 dissect_pkix1explicit_Certificate(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, int hf_index) {
diff --git a/epan/dissectors/packet-pkixqualified.c b/epan/dissectors/packet-pkixqualified.c
index d462c3c34b..9ef95d6171 100644
--- a/epan/dissectors/packet-pkixqualified.c
+++ b/epan/dissectors/packet-pkixqualified.c
@@ -94,7 +94,7 @@ static gint ett_pkixqualified_NameRegistrationAuthorities = -1;
 /*--- End of included file: packet-pkixqualified-ett.c ---*/
 
 
-static char object_identifier_id[64]; /*64 chars should be long enough? */
+static char object_identifier_id[BER_MAX_OID_STR_LEN];
 
 
 /*--- Included file: packet-pkixqualified-fn.c ---*/
diff --git a/epan/dissectors/packet-x509af.c b/epan/dissectors/packet-x509af.c
index f460edf448..172177ad40 100644
--- a/epan/dissectors/packet-x509af.c
+++ b/epan/dissectors/packet-x509af.c
@@ -170,10 +170,10 @@ static gint ett_x509af_SET_OF_AttributeType = -1;
 /*--- End of included file: packet-x509af-ett.c ---*/
 
 
-static char algorithm_id[64]; /*64 chars should be long enough? */
+static char algorithm_id[BER_MAX_OID_STR_LEN];
 
 
-static char extension_id[64]; /*64 chars should be long enough? */
+static char extension_id[BER_MAX_OID_STR_LEN];
 
 
 
diff --git a/epan/dissectors/packet-x509ce.c b/epan/dissectors/packet-x509ce.c
index e329b8f645..54712d5294 100644
--- a/epan/dissectors/packet-x509ce.c
+++ b/epan/dissectors/packet-x509ce.c
@@ -260,7 +260,7 @@ static gint ett_x509ce_PkiPathMatchSyntax = -1;
 /*--- End of included file: packet-x509ce-ett.c ---*/
 
 
-static char object_identifier_id[64]; /*64 chars should be long enough? */
+static char object_identifier_id[BER_MAX_OID_STR_LEN];
 
 
 /*--- Included file: packet-x509ce-fn.c ---*/
diff --git a/epan/dissectors/packet-x509if.c b/epan/dissectors/packet-x509if.c
index 7a9f1a87bd..c2ae943f53 100644
--- a/epan/dissectors/packet-x509if.c
+++ b/epan/dissectors/packet-x509if.c
@@ -275,7 +275,7 @@ static gint ett_x509if_MRSubstitution = -1;
 /*--- End of included file: packet-x509if-ett.c ---*/
 
 
-static char object_identifier_id[64]; /*64 chars should be long enough? */
+static char object_identifier_id[BER_MAX_OID_STR_LEN];
 
 
 /*--- Included file: packet-x509if-fn.c ---*/