diff options
author | Darius Davis <darius@vmware.com> | 2018-04-29 15:48:53 +1000 |
---|---|---|
committer | Peter Wu <peter@lekensteyn.nl> | 2018-04-30 13:18:24 +0000 |
commit | 295abe2e83ba8428e84e7ff9b2f6f94ae948fa76 (patch) | |
tree | 2a7feb236efdc562a1c4f75bb86a0a9469375bb9 | |
parent | c63be89ab880e79dea4e542c343879b60678fa2d (diff) |
LDSS: Fix a read overrun in dissect_ldss_transfer.
dissect_ldss_transfer had a trivial read overrun: "line" was not
NUL-terminated, and strtol/g_ascii_strtoull will keep reading and discarding
any leading whitespace, so a malformed LDSS packet (with only whitespace
characters following the tag on a "Size:"/"Start:"/"Compression:" line) could
trigger a read overrun.
Let's replace the tvb_memdup with tvb_get_string_enc, which does some checking
of the input characters (which, it seems, must always be ASCII), and produces a
neat NUL-terminated string.
Testing Done: On Linux x64, ran "valgrind tshark -r fuzz-2018-04-23-14422.pcap"
without the fix (to reproduce the failure), and then with the fix, and
observed that no errors were reported anymore after the fix. 60,000 iters of
fuzz-test with ldss_filtered.pcap as input, plus 1,000 iters under valgrind.
Launched wireshark and opened ldss_filtered.pcap, and examined the dissection
of the "ldss and tcp" packets; All looks good.
Bug: 14615
Change-Id: I3fccc4ffbe315a3cff6ea03cc7db37f884b0582c
Reviewed-on: https://code.wireshark.org/review/27204
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
-rw-r--r-- | epan/dissectors/packet-ldss.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/dissectors/packet-ldss.c b/epan/dissectors/packet-ldss.c index 3207edc71a..c53e406b84 100644 --- a/epan/dissectors/packet-ldss.c +++ b/epan/dissectors/packet-ldss.c @@ -496,7 +496,7 @@ dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE); /* Include new-line in line */ - line = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, offset, linelen+1); /* XXX - memory leak? */ + line = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, linelen, ENC_ASCII); line_tree = proto_tree_add_subtree(ldss_tree, tvb, offset, linelen, ett_ldss_transfer_req, NULL, |