diff options
| author | Guy Harris <guy@alum.mit.edu> | 2016-04-29 15:19:49 -0700 |
|---|---|---|
| committer | Guy Harris <guy@alum.mit.edu> | 2016-04-29 22:20:26 +0000 |
| commit | 5efb45231671baa2db2011d8f67f9d6e72bc455b (patch) | |
| tree | 2efe91dc0c1b821ff0d35ecab203f5d731936d09 /wiretap | |
| parent | e61ed6729878cba5a3b65c95b3370bdd9841452d (diff) | |
Fix packet length handling.
Treat the packet length as unsigned - it shouldn't be negative in the
file. If it is, that'll probably cause the sscanf to fail, so we'll
report the file as bad.
Check it against WTAP_MAX_PACKET_SIZE to make sure we don't try to
allocate a huge amount of memory, just as we do in other file readers.
Use the now-validated packet size as the length in
ws_buffer_assure_space(), so we are certain to have enough space, and
don't allocate too much space.
Bug: 12394
Change-Id: Ifa023ce70f7a2697bf151009b035a6e6cf8d5d90
Reviewed-on: https://code.wireshark.org/review/15169
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Diffstat (limited to 'wiretap')
| -rw-r--r-- | wiretap/toshiba.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/wiretap/toshiba.c b/wiretap/toshiba.c index 091eb1e4c1..9a06681189 100644 --- a/wiretap/toshiba.c +++ b/wiretap/toshiba.c @@ -98,11 +98,6 @@ static const char toshiba_hdr_magic[] = static const char toshiba_rec_magic[] = { '[', 'N', 'o', '.' }; #define TOSHIBA_REC_MAGIC_SIZE (sizeof toshiba_rec_magic / sizeof toshiba_rec_magic[0]) -/* - * XXX - is this the biggest packet we can get? - */ -#define TOSHIBA_MAX_PACKET_LEN 16384 - static gboolean toshiba_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset); static gboolean toshiba_seek_read(wtap *wth, gint64 seek_off, @@ -253,7 +248,8 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf, union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header; char line[TOSHIBA_LINE_LENGTH]; int num_items_scanned; - int pkt_len, pktnum, hr, min, sec, csec; + guint pkt_len; + int pktnum, hr, min, sec, csec; char channel[10], direction[10]; int i, hex_lines; guint8 *pd; @@ -305,12 +301,22 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf, } while (strcmp(line, "OFFSET 0001-0203") != 0); - num_items_scanned = sscanf(line+64, "LEN=%9d", &pkt_len); + num_items_scanned = sscanf(line+64, "LEN=%9u", &pkt_len); if (num_items_scanned != 1) { *err = WTAP_ERR_BAD_FILE; *err_info = g_strdup("toshiba: OFFSET line doesn't have valid LEN item"); return FALSE; } + if (pkt_len > WTAP_MAX_PACKET_SIZE) { + /* + * Probably a corrupt capture file; don't blow up trying + * to allocate space for an immensely-large packet. + */ + *err = WTAP_ERR_BAD_FILE; + *err_info = g_strdup_printf("toshiba: File has %u-byte packet, bigger than maximum of %u", + pkt_len, WTAP_MAX_PACKET_SIZE); + return FALSE; + } phdr->rec_type = REC_TYPE_PACKET; phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN; @@ -341,7 +347,7 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf, } /* Make sure we have enough room for the packet */ - ws_buffer_assure_space(buf, TOSHIBA_MAX_PACKET_LEN); + ws_buffer_assure_space(buf, pkt_len); pd = ws_buffer_start_ptr(buf); /* Calculate the number of hex dump lines, each |