diff options
-rw-r--r-- | docbook/release-notes.xml | 7 | ||||
-rw-r--r-- | epan/sigcomp-udvm.c | 19 | ||||
-rw-r--r-- | epan/sigcomp_state_hdlr.c | 30 | ||||
-rw-r--r-- | epan/sigcomp_state_hdlr.h | 3 |
4 files changed, 33 insertions, 26 deletions
diff --git a/docbook/release-notes.xml b/docbook/release-notes.xml index abc03bb277..7735c15eab 100644 --- a/docbook/release-notes.xml +++ b/docbook/release-notes.xml @@ -149,6 +149,13 @@ Gnu info Versions affected: 0.10.8 to 0.10.12. </para></listitem> + <listitem><para> + The SigComp UDVM could go into an infinite loop or crash. + <!-- Fixed in r15715 --> + <!-- Bug IDs: none --> + Versions affected: 0.10.12. + </para></listitem> + </itemizedlist> </para> diff --git a/epan/sigcomp-udvm.c b/epan/sigcomp-udvm.c index a6036acd7a..0074bc1bdb 100644 --- a/epan/sigcomp-udvm.c +++ b/epan/sigcomp-udvm.c @@ -177,7 +177,7 @@ decompress_sigcomp_message(tvbuff_t *bytecode_tvb, tvbuff_t *message_tvb, packet guint cycles_per_bit; guint maximum_UDVM_cycles; guint8 *sha1buff; - unsigned char sha1_digest_buf[20]; + unsigned char sha1_digest_buf[STATE_BUFFER_SIZE]; sha1_context ctx; @@ -255,10 +255,7 @@ decompress_sigcomp_message(tvbuff_t *bytecode_tvb, tvbuff_t *message_tvb, packet /* UDVM memory must be initialised to zero */ - while ( i < UDVM_MEMORY_SIZE ) { - buff[i] = 0; - i++; - } + memset(buff, 0, UDVM_MEMORY_SIZE); /* Set initial UDVM data * The first 32 bytes of UDVM memory are then initialized to special * values as illustrated in Figure 5. @@ -894,7 +891,7 @@ execute_next_instruction: k = ref_destination; - for ( n=0; n<20; n++ ) { + for ( n=0; n< STATE_BUFFER_SIZE; n++ ) { buff[k] = sha1_digest_buf[n]; @@ -909,7 +906,7 @@ execute_next_instruction: if (print_level_2 ){ proto_tree_add_text(udvm_tree, message_tvb, 0, -1, "Calculated SHA-1: %s", - bytes_to_str(sha1_digest_buf, 20)); + bytes_to_str(sha1_digest_buf, STATE_BUFFER_SIZE)); } current_address = next_operand_address; @@ -2403,7 +2400,7 @@ execute_next_instruction: result_code = 12; goto decompression_failure; } - if (( minimum_access_length < 6 ) || ( minimum_access_length > 20 )){ + if (( minimum_access_length < 6 ) || ( minimum_access_length > STATE_BUFFER_SIZE )){ result_code = 1; goto decompression_failure; } @@ -2663,9 +2660,7 @@ execute_next_instruction: */ proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,"no_of_state_create %u",no_of_state_create); if ( no_of_state_create != 0 ){ - for( x=0; x < 20; x++){ - sha1_digest_buf[x]=0; - } + memset(sha1_digest_buf, 0, STATE_BUFFER_SIZE); n = 1; byte_copy_right = buff[66] << 8; byte_copy_right = byte_copy_right | buff[67]; @@ -2701,7 +2696,7 @@ execute_next_instruction: sha1_update( &ctx, (guint8 *) sha1buff, state_length_buff[n] + 8); sha1_finish( &ctx, sha1_digest_buf ); if (print_level_3 ){ - proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,"SHA1 digest %s",bytes_to_str(sha1_digest_buf, 20)); + proto_tree_add_text(udvm_tree, bytecode_tvb, 0, -1,"SHA1 digest %s",bytes_to_str(sha1_digest_buf, STATE_BUFFER_SIZE)); } udvm_state_create(sha1buff, sha1_digest_buf, state_minimum_access_length_buff[n]); diff --git a/epan/sigcomp_state_hdlr.c b/epan/sigcomp_state_hdlr.c index ef1d8c0e68..ea700f5d03 100644 --- a/epan/sigcomp_state_hdlr.c +++ b/epan/sigcomp_state_hdlr.c @@ -47,15 +47,17 @@ #include "packet.h" #include "sigcomp_state_hdlr.h" +#include "sigcomp-udvm.h" + /* * Defenitions for: * The Session Initiation Protocol (SIP) and Session Description Protocol * (SDP) Static Dictionary for Signaling Compression (SigComp) * http://www.ietf.org/rfc/rfc3485.txt?number=3485 */ -guint16 sip_sdp_state_length = 0x12e4; +#define SIP_SDP_STATE_LENGTH 0x12e4 -static const guint8 sip_sdp_state_identifier[20] = +static const guint8 sip_sdp_state_identifier[STATE_BUFFER_SIZE] = { /* -0000, */ 0xfb, 0xe5, 0x07, 0xdf, 0xe5, 0xe6, 0xaa, 0x5a, 0xf2, 0xab, 0xb9, 0x14, 0xce, 0xaa, 0x05, 0xf9, /* -0010, */ 0x9c, 0xe6, 0x1b, 0xa5 @@ -402,7 +404,7 @@ sigcomp_init_udvm(void){ /* * Store static dictionaries in hash table */ - sip_sdp_buff = g_malloc(0x12e4+8); + sip_sdp_buff = g_malloc(SIP_SDP_STATE_LENGTH + 8); partial_state_str = bytes_to_str(sip_sdp_state_identifier, 6); @@ -410,7 +412,7 @@ sigcomp_init_udvm(void){ * Debug g_warning("Sigcomp init: Storing partial state =%s",partial_state_str); */ i = 0; - while ( i < sip_sdp_state_length ){ + while ( i < SIP_SDP_STATE_LENGTH ){ sip_sdp_buff[i+8] = sip_sdp_static_dictionaty_for_sigcomp[i]; /* Debug * g_warning(" Loading 0x%x at address %u",sip_sdp_buff[i] , i); @@ -437,7 +439,7 @@ int udvm_state_access(tvbuff_t *tvb, proto_tree *tree,guint8 *buff,guint16 p_id_ guint16 k; guint16 byte_copy_right; guint16 byte_copy_left; - char partial_state[20]; /* Size is 6 - 20 */ + char partial_state[STATE_BUFFER_SIZE]; /* Size is 6 - 20 */ guint8 *state_buff; gchar *partial_state_str; @@ -461,7 +463,7 @@ int udvm_state_access(tvbuff_t *tvb, proto_tree *tree,guint8 *buff,guint16 p_id_ } n = 0; - while ( n < p_id_length ){ + while ( n < p_id_length && n < STATE_BUFFER_SIZE && p_id_start + n < UDVM_MEMORY_SIZE ){ partial_state[n] = buff[p_id_start + n]; n++; } @@ -544,7 +546,7 @@ int udvm_state_access(tvbuff_t *tvb, proto_tree *tree,guint8 *buff,guint16 p_id_ /* debug *g_warning(" state_begin %u state_address %u",state_begin , *state_address); */ - while ( n < (state_begin + *state_length + 8)){ + while ( n < (state_begin + *state_length + 8) && n < STATE_BUFFER_SIZE ){ buff[k] = state_buff[n]; /* debug * g_warning(" Loading 0x%x at address %u",buff[k] , k); @@ -564,8 +566,8 @@ int udvm_state_access(tvbuff_t *tvb, proto_tree *tree,guint8 *buff,guint16 p_id_ void udvm_state_create(guint8 *state_buff,guint8 *state_identifier,guint16 p_id_length){ - char partial_state[20]; - guint8 i; + char partial_state[STATE_BUFFER_SIZE]; + guint i; gchar *partial_state_str; gchar *dummy_buff; /* @@ -575,7 +577,7 @@ void udvm_state_create(guint8 *state_buff,guint8 *state_identifier,guint16 p_id_ */ i = 0; - while ( i < p_id_length ){ + while ( i < p_id_length && i < STATE_BUFFER_SIZE ){ partial_state[i] = state_identifier[i]; i++; } @@ -594,19 +596,19 @@ void udvm_state_create(guint8 *state_buff,guint8 *state_identifier,guint16 p_id_ void udvm_state_free(guint8 buff[],guint16 p_id_start,guint16 p_id_length){ - char partial_state[20]; - guint8 i; + char partial_state[STATE_BUFFER_SIZE]; + guint i; gchar *partial_state_str; /* gchar *dummy_buff; */ i = 0; - while ( i < p_id_length ){ + while ( i < p_id_length && i < STATE_BUFFER_SIZE && p_id_start + i < UDVM_MEMORY_SIZE ){ partial_state[i] = buff[p_id_start + i]; i++; } - partial_state_str = bytes_to_str(partial_state, p_id_length); + /* partial_state_str = bytes_to_str(partial_state, p_id_length); */ /* TODO Implement a state create counter before actually freeing states * Hmm is it a good idea to free the buffer at all? g_warning("State-free on %s ",partial_state_str); diff --git a/epan/sigcomp_state_hdlr.h b/epan/sigcomp_state_hdlr.h index cf61dd4402..c23f24e763 100644 --- a/epan/sigcomp_state_hdlr.h +++ b/epan/sigcomp_state_hdlr.h @@ -41,5 +41,8 @@ extern void udvm_state_create(guint8 *state_buff,guint8 *state_identifier_buff,g extern void udvm_state_free(guint8 buff[],guint16 p_id_start,guint16 p_id_length); extern void sigcomp_init_udvm(void); + +#define STATE_BUFFER_SIZE 20 + #endif /* SIGCOMP_STATE_HDLR_H */ |