diff options
author | Gerald Combs <gerald@wireshark.org> | 2012-08-07 23:06:29 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2012-08-07 23:06:29 +0000 |
commit | 5bdeb03b83c13d67c68805c817534b2333f29a42 (patch) | |
tree | 0544e3d991288a197b7125215200d242bf76e921 /epan/dissectors/packet-afp.c | |
parent | 9fd94df70fe96f7ac030c50a7bbb5d4ee7cfb44a (diff) |
Fix a large loop found by Stefan Cornelius of Red Hat Security Response
Team (bug 7603).
Display the ACL entry count as decimal instead of hexadecimal.
svn path=/trunk/; revision=44317
Diffstat (limited to 'epan/dissectors/packet-afp.c')
-rw-r--r-- | epan/dissectors/packet-afp.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/epan/dissectors/packet-afp.c b/epan/dissectors/packet-afp.c index 9ff972cf63..89878931f5 100644 --- a/epan/dissectors/packet-afp.c +++ b/epan/dissectors/packet-afp.c @@ -4664,8 +4664,9 @@ decode_kauth_ace(tvbuff_t *tvb, proto_tree *tree, gint offset) return offset; } +#define AFP_MAX_ACL_ENTRIES 500 /* Arbitrary. */ static gint -decode_kauth_acl(tvbuff_t *tvb, proto_tree *tree, gint offset) +decode_kauth_acl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset) { int entries; int i; @@ -4680,9 +4681,14 @@ decode_kauth_acl(tvbuff_t *tvb, proto_tree *tree, gint offset) sub_tree = proto_item_add_subtree(item, ett_afp_ace_entries); offset += 4; - proto_tree_add_item(tree, hf_afp_acl_flags, tvb, offset, 4, ENC_BIG_ENDIAN); + item = proto_tree_add_item(tree, hf_afp_acl_flags, tvb, offset, 4, ENC_BIG_ENDIAN); offset += 4; + if (entries > AFP_MAX_ACL_ENTRIES) { + expert_add_info_format(pinfo, item, PI_UNDECODED, PI_WARN, "Excessive number of ACL entries (%u). Stopping dissection.", entries); + THROW(ReportedBoundsError); + } + for (i = 0; i < entries; i++) { item = proto_tree_add_text(sub_tree, tvb, offset, 24, "ACE: %u", i); ace_tree = proto_item_add_subtree(item, ett_afp_ace_entry); @@ -4694,7 +4700,7 @@ decode_kauth_acl(tvbuff_t *tvb, proto_tree *tree, gint offset) } static gint -decode_uuid_acl(tvbuff_t *tvb, proto_tree *tree, gint offset, guint16 bitmap) +decode_uuid_acl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint offset, guint16 bitmap) { if ((offset & 1)) PAD(1); @@ -4710,7 +4716,7 @@ decode_uuid_acl(tvbuff_t *tvb, proto_tree *tree, gint offset, guint16 bitmap) } if ((bitmap & kFileSec_ACL)) { - offset = decode_kauth_acl(tvb, tree, offset); + offset = decode_kauth_acl(tvb, pinfo, tree, offset); } return offset; @@ -4730,7 +4736,7 @@ dissect_query_afp_set_acl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, g offset = decode_name(tree, pinfo, tvb, offset); - offset = decode_uuid_acl(tvb, tree, offset, bitmap); + offset = decode_uuid_acl(tvb, pinfo, tree, offset, bitmap); return offset; } @@ -4762,7 +4768,7 @@ dissect_reply_afp_get_acl(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tre bitmap = decode_acl_list_bitmap(tvb, tree, offset); offset += 2; - offset = decode_uuid_acl(tvb, tree, offset, bitmap); + offset = decode_uuid_acl(tvb, pinfo, tree, offset, bitmap); return offset; } @@ -6544,7 +6550,7 @@ proto_register_afp(void) { &hf_afp_acl_entrycount, { "ACEs count", "afp.acl_entrycount", - FT_UINT32, BASE_HEX, NULL, 0, + FT_UINT32, BASE_DEC, NULL, 0, "Number of ACL entries", HFILL }}, { &hf_afp_acl_flags, |