diff options
| author | Jaap Keuter <jaap.keuter@xs4all.nl> | 2009-06-24 20:27:58 +0000 |
|---|---|---|
| committer | Jaap Keuter <jaap.keuter@xs4all.nl> | 2009-06-24 20:27:58 +0000 |
| commit | 479b1ee73780b8e1f4565c1fd912cda234f4a09e (patch) | |
| tree | f911b45bb2d1e8d7671b0be6f7aeb746fcb42c5d /wiretap | |
| parent | e03ac6b82e6ff178e9ca4f886a8d9a4180591f30 (diff) | |
From Duncan Salerno:
Ensure dct3trac packets never longer than 23 bytes.
svn path=/trunk/; revision=28838
Diffstat (limited to 'wiretap')
| -rw-r--r-- | wiretap/dct3trace.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/wiretap/dct3trace.c b/wiretap/dct3trace.c index c9f4eddef6..90d05d8036 100644 --- a/wiretap/dct3trace.c +++ b/wiretap/dct3trace.c @@ -2,7 +2,7 @@ * Routines for reading signalling traces generated by Gammu (www.gammu.org) * from Nokia DCT3 phones in Netmonitor mode. * - * gammu --nokiadebug nhm5_587.txt v20-25,v18-19 + * gammu --nokiadebug nhm5_587.txt v18-19 * * Duncan Salerno <duncan.salerno@googlemail.com> * @@ -73,6 +73,7 @@ static const char dct3trace_magic_l2_start[] = "<l2 "; static const char dct3trace_magic_l2_end[] = "</l2>"; static const char dct3trace_magic_end[] = "</dump>"; +#define MAX_PACKET_LEN 23 static gboolean dct3trace_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset); @@ -103,6 +104,10 @@ hex2bin(unsigned char *out, unsigned char *in) int is_low = 0; int c; + /* Clamp to maximum packet size */ + if (end - in > MAX_PACKET_LEN*2) /* As we're reading nibbles */ + end = in + MAX_PACKET_LEN*2; + while (in < end) { c = hc2b(in[0]); @@ -143,6 +148,8 @@ xml_get_int(int *val, const unsigned char *str, const unsigned char *pattern) end = strchr(start, '"'); if (end == NULL) return -3; + if (end - start > 31) + return -4; memcpy(buf, start, end - start); buf[end - start] = '\0'; @@ -288,7 +295,7 @@ static gboolean dct3trace_get_packet(FILE *fh, union wtap_pseudo_header *pseudo_ } else if( !have_data && memcmp(dct3trace_magic_l2_start, line, strlen(dct3trace_magic_l2_start)) == 0 ) { - /* For uplink packets we don't get the raw L1, so have to recreate it from the L2 */ + /* For uplink packets we might not get the raw L1, so have to recreate it from the L2 */ /* Parse L2 header if didn't get data from L1 <l2 ...> */ int data_len = 0; char *ptr = strstr(line, "data=\""); @@ -336,7 +343,7 @@ static gboolean dct3trace_read(wtap *wth, int *err, gchar **err_info, { guint64 offset = file_tell(wth->fh); int buf_len; - char buf[23]; + char buf[MAX_PACKET_LEN]; if( !dct3trace_get_packet(wth->fh, &wth->pseudo_header, buf, &buf_len, err, err_info) ) { @@ -365,7 +372,7 @@ static gboolean dct3trace_seek_read (wtap *wth, gint64 seek_off, int *err, gchar **err_info) { int buf_len; - char buf[23]; + char buf[MAX_PACKET_LEN]; if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1) { |