diff options
author | Anders Broman <anders.broman@ericsson.com> | 2012-06-19 10:30:51 +0000 |
---|---|---|
committer | Anders Broman <anders.broman@ericsson.com> | 2012-06-19 10:30:51 +0000 |
commit | 9ee8562c32dd4bf1968247e21460bce3fb3963a7 (patch) | |
tree | 67944c24fe73cb6e2808c112b300d944d1294646 | |
parent | 9ff274758a78b1419293d232f2de9bc0b3508563 (diff) |
From Richard Sharpe:
Wireshark is unable to dissect Security Descriptors that span TCP segments where some are not captured or reassembled
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7363
svn path=/trunk/; revision=43352
-rw-r--r-- | epan/dissectors/packet-smb.c | 50 | ||||
-rw-r--r-- | epan/dissectors/packet-windows-common.c | 54 |
2 files changed, 78 insertions, 26 deletions
diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c index 05ca312a71..2dd37dc0a3 100644 --- a/epan/dissectors/packet-smb.c +++ b/epan/dissectors/packet-smb.c @@ -5783,8 +5783,9 @@ dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree * } if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -5875,8 +5876,9 @@ dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree END_OF_SMB if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -6080,8 +6082,9 @@ dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, i END_OF_SMB if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -6248,8 +6251,9 @@ dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, END_OF_SMB if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -6408,8 +6412,9 @@ dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, i END_OF_SMB if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -6604,8 +6609,9 @@ dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, END_OF_SMB if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -6838,8 +6844,9 @@ dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, END_OF_SMB if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -6924,8 +6931,9 @@ dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, END_OF_SMB if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -7329,8 +7337,9 @@ dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree END_OF_SMB if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } pinfo->private_data = si; dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -7464,8 +7473,9 @@ dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tre END_OF_SMB if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } pinfo->private_data = si; dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -7506,8 +7516,9 @@ dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offs END_OF_SMB if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -7705,8 +7716,9 @@ dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree END_OF_SMB if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -7857,8 +7869,9 @@ dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree END_OF_SMB if (cmd != 0xff) { /* there is an andX command */ - if (andxoffset < offset) + if (andxoffset < offset) { THROW(ReportedBoundsError); + } dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE); } @@ -8517,8 +8530,10 @@ dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, pro DISSECTOR_ASSERT(si); if(parent_tree){ - tvb_ensure_bytes_exist(tvb, offset, bc); - item = proto_tree_add_text(parent_tree, tvb, offset, bc, + guint32 bytes = 0; + bytes = tvb_length_remaining(tvb, offset); + /*tvb_ensure_bytes_exist(tvb, offset, bc);*/ + item = proto_tree_add_text(parent_tree, tvb, offset, bytes, "%s Data", val_to_str_ext(ntd->subcmd, &nt_cmd_vals_ext, "Unknown NT transaction (%u)")); tree = proto_item_add_subtree(item, ett_smb_nt_trans_data); @@ -8564,6 +8579,11 @@ dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, pro offset = dissect_nt_sec_desc( tvb, offset, pinfo, tree, NULL, TRUE, bc, ami); + + if (offset < (old_offset + bc)) { + offset = old_offset + bc; + } + break; case NT_TRANS_NOTIFY: break; diff --git a/epan/dissectors/packet-windows-common.c b/epan/dissectors/packet-windows-common.c index be75070d37..7546b28550 100644 --- a/epan/dissectors/packet-windows-common.c +++ b/epan/dissectors/packet-windows-common.c @@ -2362,6 +2362,8 @@ dissect_nt_acl(tvbuff_t *tvb, int offset, packet_info *pinfo, int pre_ace_offset; guint16 revision; guint32 num_aces; + guint32 total_aces; + gboolean missing_data = FALSE; if(parent_tree){ item = proto_tree_add_text(parent_tree, tvb, offset, -1, @@ -2407,15 +2409,27 @@ dissect_nt_acl(tvbuff_t *tvb, int offset, packet_info *pinfo, tvb, offset, 4, num_aces); offset += 4; - while(num_aces--){ + total_aces = num_aces; + + while(num_aces-- && !missing_data){ pre_ace_offset = offset; - offset = dissect_nt_v2_ace(tvb, offset, pinfo, tree, drep, ami); - if (pre_ace_offset == offset) { + + TRY { + offset = dissect_nt_v2_ace(tvb, offset, pinfo, tree, drep, ami); + if (pre_ace_offset == offset) { /* * Bogus ACE, with a length < 4. */ break; + } } + + CATCH2(BoundsError, ReportedBoundsError) { + proto_tree_add_text(tree, tvb, offset, 0, "ACE Extends beyond end of captured or reassembled buffer"); + missing_data = TRUE; + } + + ENDTRY; } } @@ -2663,9 +2677,17 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo, */ THROW(ReportedBoundsError); } - offset = dissect_nt_sid(tvb, item_offset, tree, "Owner", NULL, -1); - if (offset > end_offset) - end_offset = offset; + TRY{ + offset = dissect_nt_sid(tvb, item_offset, tree, "Owner", NULL, -1); + if (offset > end_offset) + end_offset = offset; + } + + CATCH2(BoundsError, ReportedBoundsError) { + proto_tree_add_text(tree, tvb, item_offset, 0, "Owner SID beyond end of captured or reassembled buffer"); + } + + ENDTRY; } /*group SID*/ @@ -2677,9 +2699,17 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo, */ THROW(ReportedBoundsError); } - offset = dissect_nt_sid(tvb, item_offset, tree, "Group", NULL, -1); - if (offset > end_offset) - end_offset = offset; + TRY { + offset = dissect_nt_sid(tvb, item_offset, tree, "Group", NULL, -1); + if (offset > end_offset) + end_offset = offset; + } + + CATCH2(BoundsError, ReportedBoundsError) { + proto_tree_add_text(tree, tvb, item_offset, 0, "Group SID beyond end of captured or reassembled buffer"); + } + + ENDTRY; } /* sacl */ @@ -2711,6 +2741,7 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo, if (offset > end_offset) end_offset = offset; } + break; default: @@ -2720,16 +2751,17 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo, if (len_supplied) { /* Make sure the length isn't too large (so that we get an overflow) */ - tvb_ensure_bytes_exist(tvb, start_offset, len); + /* tvb_ensure_bytes_exist(tvb, start_offset, len);*/ } else { /* The length of the security descriptor is the difference between the starting offset and the offset past the last item in the descriptor. */ len = end_offset - start_offset; } + len = end_offset - start_offset; proto_item_set_len(item, len); - return offset+len; + return offset; } /* |