diff options
author | Gerald Combs <gerald@wireshark.org> | 2005-09-13 19:01:01 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2005-09-13 19:01:01 +0000 |
commit | a242f1926b83c03433f662eca9559eff32d25669 (patch) | |
tree | 893b198d5452872019a447d92fbc24b29490dd63 | |
parent | a65676817016effd8167d977a710d38248e280fe (diff) |
In smb_trans_defragment(), throw an exception if we encounter a too-large
fragment size. The limit is conservatively set at 65536 bytes. It may
have to be increased. Fixes bug 421.
Add an entry to the release notes.
svn path=/trunk/; revision=15789
-rw-r--r-- | docbook/release-notes.xml | 8 | ||||
-rw-r--r-- | epan/dissectors/packet-smb.c | 9 |
2 files changed, 17 insertions, 0 deletions
diff --git a/docbook/release-notes.xml b/docbook/release-notes.xml index 7735c15eab..2d962683ef 100644 --- a/docbook/release-notes.xml +++ b/docbook/release-notes.xml @@ -156,6 +156,14 @@ Gnu info Versions affected: 0.10.12. </para></listitem> + <listitem><para> + If SMB transaction payload reassembly is enabled the SMB + dissector could crash. This preference is disabled by default. + <!-- Fixed in r15789 --> + <!-- Bug IDs: 421 --> + Versions affected: 0.9.7 to 0.10.12. + </para></listitem> + </itemizedlist> </para> diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c index 8d96725f21..74c85b6e51 100644 --- a/epan/dissectors/packet-smb.c +++ b/epan/dissectors/packet-smb.c @@ -826,6 +826,11 @@ smb_trans_reassembly_init(void) fragment_table_init(&smb_trans_fragment_table); } +/* + * XXX - This keeps us from allocating huge amounts of memory as shown in + * bug 421. It may need to be increased. + */ +#define MAX_FRAGMENT_SIZE 65536 static fragment_data * smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb, int offset, int count, int pos, int totlen) @@ -834,6 +839,10 @@ smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb, smb_info_t *si; int more_frags; + if (count > MAX_FRAGMENT_SIZE || count < 0) { + THROW(ReportedBoundsError); + } + more_frags=totlen>(pos+count); si = (smb_info_t *)pinfo->private_data; |