diff options
| author | Pascal Quantin <pascal.quantin@gmail.com> | 2014-03-02 18:25:31 +0100 |
|---|---|---|
| committer | Pascal Quantin <pascal.quantin@gmail.com> | 2014-03-03 15:36:21 +0000 |
| commit | 5fc9db83cf50f9fd27e64e3c249fef0f9459a05c (patch) | |
| tree | 40e26ed0ee935da1371ab94dd557a4e1081f0f05 | |
| parent | 2ab72685fb6f27b485f356432ea600ffa83588f5 (diff) | |
SSL: dynamically allocate session ticket storage area to avoid buffer overflow
Fixes bug 9825
Change-Id: I20ae65331ec11b2f6774054df4c026fd5fa76d3a
Reviewed-on: https://code.wireshark.org/review/447
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Pascal Quantin <pascal.quantin@gmail.com>
| -rw-r--r-- | epan/dissectors/packet-ssl-utils.c | 4 | ||||
| -rw-r--r-- | epan/dissectors/packet-ssl-utils.h | 1 | ||||
| -rw-r--r-- | epan/dissectors/packet-ssl.c | 2 |
3 files changed, 5 insertions, 2 deletions
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index 558deb7a3d..6c14af9bea 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -3715,7 +3715,7 @@ ssl_session_init(SslDecryptSession* ssl_session) ssl_session->session_id.data = ssl_session->_session_id; ssl_session->client_random.data = ssl_session->_client_random; ssl_session->server_random.data = ssl_session->_server_random; - ssl_session->session_ticket.data = ssl_session->_session_ticket; + ssl_session->session_ticket.data = NULL; ssl_session->session_ticket.data_len = 0; ssl_session->master_secret.data_len = 48; ssl_session->server_data_for_iv.data_len = 0; @@ -4855,6 +4855,8 @@ ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb if(is_client && ssl && ext_len != 0) { /*save the ticket on the ssl opaque so that we can use it as key on server hello */ + ssl->session_ticket.data = (guchar*)wmem_realloc(wmem_file_scope(), + ssl->session_ticket.data, ext_len); tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len); ssl->session_ticket.data_len = ext_len; } diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h index b88b638102..c8dfca6cc8 100644 --- a/epan/dissectors/packet-ssl-utils.h +++ b/epan/dissectors/packet-ssl-utils.h @@ -334,7 +334,6 @@ typedef struct { typedef struct _SslDecryptSession { guchar _master_secret[48]; guchar _session_id[256]; - guchar _session_ticket[1024]; guchar _client_random[32]; guchar _server_random[32]; StringInfo session_id; diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c index 5aabd55531..efbad01d41 100644 --- a/epan/dissectors/packet-ssl.c +++ b/epan/dissectors/packet-ssl.c @@ -2533,6 +2533,8 @@ dissect_ssl3_hnd_new_ses_ticket(tvbuff_t *tvb, proto_tree *tree, /* save the session ticket to cache */ if(ssl){ + ssl->session_ticket.data = (guchar*)wmem_realloc(wmem_file_scope(), + ssl->session_ticket.data, session_ticket_length); tvb_memcpy(tvb,ssl->session_ticket.data, offset, session_ticket_length); ssl->session_ticket.data_len = session_ticket_length; ssl_save_session_ticket(ssl, ssl_session_hash); |