diff options
| author | Evan Huus <eapache@gmail.com> | 2014-01-24 20:48:55 +0000 |
|---|---|---|
| committer | Evan Huus <eapache@gmail.com> | 2014-01-24 20:48:55 +0000 |
| commit | a7ea59488d95d51388fde931f35c9e211843175d (patch) | |
| tree | 8a3b0cf5059aa8616b1b0f0a473b374ca3333eee /plugins | |
| parent | 5be35448f6daeee93010ceaa306b4c78ee29dd36 (diff) | |
The wimax plugin primarily uses tvb_get_ptr buffer accesses instead of the
safe accessor functions, and it's all done via scary bit-twiddling macros to
boot.
Create the macros TVB_NIB_WORD and TVB_NIB_NIBBLE that (should) behave just
like the raw-pointer NIB_WORD and NIB_NIBBLE macros, except using the safe tvb
functions instead.
Replace two instances with the safe versions, which fixes an out-of-bounds
access caught by my valgrind fuzzer. If this doesn't break anything then we
should probably do a wholesale replacement at some point, but I'm not feeling
that adventurous at the moment.
svn path=/trunk/; revision=54951
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/wimax/msg_ulmap.c | 4 | ||||
| -rw-r--r-- | plugins/wimax/wimax_bits.h | 8 |
2 files changed, 10 insertions, 2 deletions
diff --git a/plugins/wimax/msg_ulmap.c b/plugins/wimax/msg_ulmap.c index 9bf0d9977c..7c4689103f 100644 --- a/plugins/wimax/msg_ulmap.c +++ b/plugins/wimax/msg_ulmap.c @@ -1595,8 +1595,8 @@ gint dissect_ulmap_ie( proto_tree *ie_tree, const guint8 *bufptr, gint offset, g nibble = offset; /* 8.4.5.4 UL-MAP IE format - table 287 */ - cid = NIB_WORD(nibble, bufptr); - uiuc = NIB_NIBBLE(nibble + 4, bufptr); + cid = TVB_NIB_WORD(nibble, tvb); + uiuc = TVB_NIB_NIBBLE(nibble + 4, tvb); if (uiuc == 0) { diff --git a/plugins/wimax/wimax_bits.h b/plugins/wimax/wimax_bits.h index 53b05b7e0c..7eca8f5fb2 100644 --- a/plugins/wimax/wimax_bits.h +++ b/plugins/wimax/wimax_bits.h @@ -55,6 +55,10 @@ (((n) & 1) \ ? (b)[(n)/2] & NIBBLE_MASK \ : ((b)[(n)/2] >> 4) & NIBBLE_MASK) +#define TVB_NIB_NIBBLE(n,t) \ + (((n) & 1) \ + ? tvb_get_guint8((t), (n)/2) & NIBBLE_MASK \ + : (tvb_get_guint8((t), (n)/2) >> 4) & NIBBLE_MASK) /* extract the byte at the given nibble address 'n' of buffer 'b' */ #define NIB_BYTE(n,b) \ @@ -78,6 +82,10 @@ : pletoh16((b) + (n)/2) ? (pletoh32((b)+(n)/2) >> 12) & 0x0000FFFF \ */ +#define TVB_NIB_WORD(n,t) \ + (n) & 1 \ + ? (gint)((tvb_get_ntohl((t), (n)/2) >> 12) & 0x0000FFFF) \ + : tvb_get_ntohs((t), (n)/2) /* extract the word at the given nibble address 'n' of buffer 'b' */ #define NIB_LONG(n,b) \ |