aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarius Davis <darius@vmware.com>2018-04-29 15:48:53 +1000
committerPeter Wu <peter@lekensteyn.nl>2018-04-30 13:18:24 +0000
commit295abe2e83ba8428e84e7ff9b2f6f94ae948fa76 (patch)
tree2a7feb236efdc562a1c4f75bb86a0a9469375bb9
parentc63be89ab880e79dea4e542c343879b60678fa2d (diff)
LDSS: Fix a read overrun in dissect_ldss_transfer.
dissect_ldss_transfer had a trivial read overrun: "line" was not NUL-terminated, and strtol/g_ascii_strtoull will keep reading and discarding any leading whitespace, so a malformed LDSS packet (with only whitespace characters following the tag on a "Size:"/"Start:"/"Compression:" line) could trigger a read overrun. Let's replace the tvb_memdup with tvb_get_string_enc, which does some checking of the input characters (which, it seems, must always be ASCII), and produces a neat NUL-terminated string. Testing Done: On Linux x64, ran "valgrind tshark -r fuzz-2018-04-23-14422.pcap" without the fix (to reproduce the failure), and then with the fix, and observed that no errors were reported anymore after the fix. 60,000 iters of fuzz-test with ldss_filtered.pcap as input, plus 1,000 iters under valgrind. Launched wireshark and opened ldss_filtered.pcap, and examined the dissection of the "ldss and tcp" packets; All looks good. Bug: 14615 Change-Id: I3fccc4ffbe315a3cff6ea03cc7db37f884b0582c Reviewed-on: https://code.wireshark.org/review/27204 Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl>
-rw-r--r--epan/dissectors/packet-ldss.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/dissectors/packet-ldss.c b/epan/dissectors/packet-ldss.c
index 3207edc71a..c53e406b84 100644
--- a/epan/dissectors/packet-ldss.c
+++ b/epan/dissectors/packet-ldss.c
@@ -496,7 +496,7 @@ dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void
linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
/* Include new-line in line */
- line = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, offset, linelen+1); /* XXX - memory leak? */
+ line = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, linelen, ENC_ASCII);
line_tree = proto_tree_add_subtree(ldss_tree, tvb, offset, linelen,
ett_ldss_transfer_req, NULL,