From 5574b78dae2f607d4ace66ab60d516d0c569357d Mon Sep 17 00:00:00 2001 From: Ulf Date: Tue, 22 Aug 2017 21:52:29 -0400 Subject: Fix potential oob write crashes Bug: 13847 Change-Id: I3a706db25204fe4c1fd1b7be3b17b8c55365dccf Reviewed-on: https://code.wireshark.org/review/23169 Petri-Dish: Michael Mann Tested-by: Petri Dish Buildbot Reviewed-by: Michael Mann --- extcap/androiddump.c | 8 ++++---- plugins/profinet/packet-dcerpc-pn-io.c | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/extcap/androiddump.c b/extcap/androiddump.c index bdd4aaf4db..1e3829dec4 100644 --- a/extcap/androiddump.c +++ b/extcap/androiddump.c @@ -1102,7 +1102,7 @@ static int register_interfaces(extcap_parameters * extcap_conf, const char *adb_ response[data_length] = '\0'; data_str = strchr(response, '\n'); - if (data_str && sscanf(data_str, "%*s %s", pid) == 1) { + if (data_str && sscanf(data_str, "%*s %15s", pid) == 1) { g_debug("Android Bluetooth application PID for %s is %s", serial_number, pid); result = g_snprintf(check_port_buf, sizeof(check_port_buf), adb_check_port_templace, pid); @@ -1123,7 +1123,7 @@ static int register_interfaces(extcap_parameters * extcap_conf, const char *adb_ response[data_length] = '\0'; data_str = strchr(response, '\n'); - if (data_str && sscanf(data_str, "%*s %s", pid) == 1 && strcmp(pid + 9, "10EA") == 0) { + if (data_str && sscanf(data_str, "%*s %15s", pid) == 1 && strlen(pid) > 10 && strcmp(pid + 9, "10EA") == 0) { g_debug("Bluedroid External Parser Port for %s is %s", serial_number, pid + 9); } else { disable_interface = 1; @@ -1175,7 +1175,7 @@ static int register_interfaces(extcap_parameters * extcap_conf, const char *adb_ else data_str = strchr(response, '\n'); - if (data_str && sscanf(data_str, "%*s %s", pid) == 1) { + if (data_str && sscanf(data_str, "%*s %15s", pid) == 1) { g_debug("Android Bluetooth application PID for %s is %s", serial_number, pid); result = g_snprintf(check_port_buf, sizeof(check_port_buf), adb_check_port_templace, pid); @@ -1196,7 +1196,7 @@ static int register_interfaces(extcap_parameters * extcap_conf, const char *adb_ response[data_length] = '\0'; data_str = strchr(response, '\n'); - if (data_str && sscanf(data_str, "%*s %s", pid) == 1 && strcmp(pid + 9, "22A8") == 0) { + if (data_str && sscanf(data_str, "%*s %15s", pid) == 1 && strlen(pid) > 10 && strcmp(pid + 9, "22A8") == 0) { g_debug("Btsnoop Net Port for %s is %s", serial_number, pid + 9); } else { disable_interface = 1; diff --git a/plugins/profinet/packet-dcerpc-pn-io.c b/plugins/profinet/packet-dcerpc-pn-io.c index 1ac755e1ed..a716eaf106 100644 --- a/plugins/profinet/packet-dcerpc-pn-io.c +++ b/plugins/profinet/packet-dcerpc-pn-io.c @@ -9457,7 +9457,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset, if((strstr(puffer, vendorIdStr)) != NULL) { memset (convertStr, 0, sizeof(*convertStr)); pch = strstr(puffer, vendorIdStr); - if (pch!= NULL && sscanf(pch, "VendorID=\"%[^\"]", convertStr) == 1) { + if (pch!= NULL && sscanf(pch, "VendorID=\"%199[^\"]", convertStr) == 1) { read_vendor_id = (guint32) strtoul (convertStr, NULL, 0); if(read_vendor_id == searchVendorID) { @@ -9470,7 +9470,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset, if((strstr(puffer, deviceIdStr)) != NULL) { memset(convertStr, 0, sizeof(*convertStr)); pch = strstr(puffer, deviceIdStr); - if (pch != NULL && sscanf(pch, "DeviceID=\"%[^\"]", convertStr) == 1) { + if (pch != NULL && sscanf(pch, "DeviceID=\"%199[^\"]", convertStr) == 1) { read_device_id = (guint32)strtoul(convertStr, NULL, 0); if(read_device_id == searchDeviceID) { @@ -9604,7 +9604,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset, memset (convertStr, 0, sizeof(*convertStr)); pch = strstr(temp, fParameterIndexStr); - if (pch != NULL && sscanf(pch, "Index=\"%[^\"]", convertStr) == 1) { + if (pch != NULL && sscanf(pch, "Index=\"%199[^\"]", convertStr) == 1) { io_data_object->fParameterIndexNr = (guint32)strtoul(convertStr, NULL, 0); } break; /* found Indexnumber -> break search loop */ @@ -9618,7 +9618,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset, if((strstr(temp, moduleStr)) != NULL) { /* find the String "ModuleIdentNumber=" */ memset (convertStr, 0, sizeof(*convertStr)); pch = strstr(temp, moduleStr); /* search for "ModuleIdentNumber=\"" within GSD-file */ - if (pch != NULL && sscanf(pch, "ModuleIdentNumber=\"%[^\"]", convertStr) == 1) { /* Change format of Value string-->numeric string */ + if (pch != NULL && sscanf(pch, "ModuleIdentNumber=\"%199[^\"]", convertStr) == 1) { /* Change format of Value string-->numeric string */ read_module_id = (guint32)strtoul(convertStr, NULL, 0); /* Change numeric string --> unsigned long; read_module_id contains the Value of the ModuleIdentNumber */ /* If the found ModuleID matches with the wanted ModuleID, search for the Submodule and break */ @@ -9629,7 +9629,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset, if((strstr(temp, moduleNameInfo)) != NULL) { /* find the String "