Fix for pppdump buffer-overflow check.

From Daniel Thompson <daniel.thompson@st.com> svn path=/trunk/; revision=2748
author: Gilbert Ramirez <gram@alumni.rice.edu> 2000-12-09 03:02:43 +0000
committer: Gilbert Ramirez <gram@alumni.rice.edu> 2000-12-09 03:02:43 +0000
commit: a36915da20b01a5ed67dae2d9775e4fd32fe1b18 (patch)
tree: 6e7b55913257cc4f6085262a62abfedf3e49e69b /wiretap
parent: 17c1bf2a591f0f9564c3448baf3a193514257be6 (diff)
2 files changed, 16 insertions, 5 deletions
diff --git a/wiretap/AUTHORS b/wiretap/AUTHORS
index a1f8682836..d3b0b4b867 100644
--- a/wiretap/AUTHORS
+++ b/wiretap/AUTHORS
@@ -8,3 +8,5 @@ Joerg Mayer		<jmayer@telemation.de>
 Tim Farley		<tfarley@iss.net>
 Bert Driehuis		<driehuis@playbeing.org>
 Mike Hall		<mlh@io.com>
+Daniel Thompson		<daniel.thompson@st.com>
+
diff --git a/wiretap/pppdump.c b/wiretap/pppdump.c
index c97d63280c..340dfac914 100644
--- a/wiretap/pppdump.c
+++ b/wiretap/pppdump.c
@@ -1,6 +1,6 @@
 /* pppdump.c
  *
- * $Id: pppdump.c,v 1.6 2000/11/19 20:56:17 gerald Exp $
+ * $Id: pppdump.c,v 1.7 2000/12/09 03:02:43 gram Exp $
  *
  * Copyright (c) 2000 by Gilbert Ramirez <gram@xiexie.org>
  * 
@@ -83,6 +83,11 @@ Daniel Thompson (STMicroelectronics) <daniel.thompson@st.com>
 
 #define PPPD_NULL		0x00	/* For my own use */
 
+/* this buffer must be at least (2*PPPD_MTU) + sizeof(ppp_header) + sizeof(lcp_header) + 
+ * sizeof(ipcp_header). PPPD_MTU is *very* rarely larger than 1500 so this value is fine
+ */
+#define PPPD_BUF_SIZE		8192
+
 typedef enum {
 	DIRECTION_SENT,
 	DIRECTION_RECV
@@ -102,7 +107,7 @@ typedef struct {
 	direction_enum	dir;
 	int		cnt;
 	gboolean	esc;
-	guint8		buf[8192];
+	guint8		buf[PPPD_BUF_SIZE];
 	long		id_offset;
 } pkt_t;
 
@@ -202,7 +207,7 @@ pppdump_open(wtap *wth, int *err)
 	wth->file_encap = WTAP_ENCAP_PPP_WITH_PHDR; 
 	wth->file_type = WTAP_FILE_PPPDUMP; 
 
-	wth->snapshot_length = 8192; /* just guessing */ 
+	wth->snapshot_length = PPPD_BUF_SIZE; /* just guessing */ 
 	wth->subtype_read = pppdump_read; 
 	wth->subtype_seek_read = pppdump_seek_read; 
 	wth->subtype_close = pppdump_close;
@@ -227,7 +232,7 @@ pppdump_read(wtap *wth, int *err, int *data_offset)
 	pppdump_t	*state;
 	pkt_id		*pid;
 
-	buffer_assure_space(wth->frame_buffer, 8192);
+	buffer_assure_space(wth->frame_buffer, PPPD_BUF_SIZE);
 	buf = buffer_start_ptr(wth->frame_buffer);
 
 	state = wth->capture.generic;
@@ -334,7 +339,7 @@ process_data(pppdump_t *state, FILE_T fh, pkt_t *pkt, int n, guint8 *pd, int *er
 						return 0;
 					}
 
-					if (num_written > sizeof(pd)) {
+					if (num_written > PPPD_BUF_SIZE) {
 						*err = WTAP_ERR_UNC_OVERFLOW;
 						return -1;
 					}
@@ -367,6 +372,10 @@ process_data(pppdump_t *state, FILE_T fh, pkt_t *pkt, int n, guint8 *pd, int *er
 				}
 		
 				pkt->buf[pkt->cnt++] = c;
+				if (pkt->cnt > PPPD_BUF_SIZE) {
+					*err = WTAP_ERR_UNC_OVERFLOW;
+					return -1;
+				}
 				break;
 		}
 	}
author	Gilbert Ramirez <gram@alumni.rice.edu>	2000-12-09 03:02:43 +0000
committer	Gilbert Ramirez <gram@alumni.rice.edu>	2000-12-09 03:02:43 +0000
commit	a36915da20b01a5ed67dae2d9775e4fd32fe1b18 (patch)
tree	6e7b55913257cc4f6085262a62abfedf3e49e69b /wiretap
parent	17c1bf2a591f0f9564c3448baf3a193514257be6 (diff)