diff options
author | Martin Kaiser <wireshark@kaiser.cx> | 2016-09-17 18:46:26 +0200 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2016-09-17 19:49:49 +0000 |
commit | ede1af20ba483dd7b6b35d3bd1eabe5cc463592c (patch) | |
tree | 2b5525526e806125c6e3243e3e310637ec9023a4 /epan/dissectors/packet-eap.c | |
parent | 983a9691a9ec18e29f045300dbb6d664c9da1635 (diff) |
eap: make eap_identity_prefix a numeric item
This used to be string item, its value was not 0-terminated. This
resulted in out-of-bounds mem acceess when eap_identity_prefix was used
by proto_tree_add_string_format().
==14744== Conditional jump or move depends on uninitialised value(s)
==14744== at 0x4C294F8: strlen (mc_replace_strmem.c:390)
==14744== by 0xC19C97F: g_strdup (gstrfuncs.c:355)
==14744== by 0x739CA75: string_fvalue_set_string (ftype-string.c:51)
==14744== by 0x67136A9: proto_tree_add_string (proto.c:3515)
==14744== by 0x6713870: proto_tree_add_string_format (proto.c:3547)
==14744== by 0x69BB494: dissect_eap (packet-eap.c:838)
==14744== by 0x66FD0B4: call_dissector_work (packet.c:649)
As the content is a number anyway, the simplest solution is to make
eap_identity_prefix a numeric item and use
proto_tree_add_uint_format_value().
Bug: 12913
Change-Id: I907b1d3555a96e9662b1d8253d17d35adfdada48
Reviewed-on: https://code.wireshark.org/review/17760
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Diffstat (limited to 'epan/dissectors/packet-eap.c')
-rw-r--r-- | epan/dissectors/packet-eap.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/epan/dissectors/packet-eap.c b/epan/dissectors/packet-eap.c index d7f824bca1..ead12ecfc3 100644 --- a/epan/dissectors/packet-eap.c +++ b/epan/dissectors/packet-eap.c @@ -650,10 +650,10 @@ dissect_eap_aka(proto_tree *eap_tree, tvbuff_t *tvb, int offset, gint size) proto_tree_add_item(attr_tree, hf_eap_identity_actual_len, tvb, aoffset, 2, ENC_BIG_ENDIAN); eap_identity_prefix = tvb_get_guint8(tvb, aoffset + 2) - '0'; - proto_tree_add_string_format(attr_tree, hf_eap_identity_prefix, tvb, aoffset + 2, 1, - &eap_identity_prefix, "Identity Prefix: %s (%u)", - val_to_str(eap_identity_prefix, eap_identity_prefix_vals, "Unknown"), - eap_identity_prefix); + proto_tree_add_uint_format_value(attr_tree, hf_eap_identity_prefix, + tvb, aoffset+2, 1, eap_identity_prefix, "%s (%u)", + val_to_str(eap_identity_prefix, eap_identity_prefix_vals, "Unknown"), + eap_identity_prefix); proto_tree_add_item(attr_tree, hf_eap_identity, tvb, aoffset + 2, aleft - 2, ENC_ASCII|ENC_NA); } else @@ -831,10 +831,10 @@ dissect_eap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) eap_identity_item = proto_tree_add_item(eap_tree, hf_eap_identity, tvb, offset, size, ENC_ASCII|ENC_NA); eap_identity_tree = proto_item_add_subtree(eap_identity_item, ett_identity); eap_identity_prefix = tvb_get_guint8(tvb, offset) - '0'; - proto_tree_add_string_format(eap_identity_tree, hf_eap_identity_prefix, tvb, offset, 1, - &eap_identity_prefix, "Identity Prefix: %s (%u)", - val_to_str(eap_identity_prefix, eap_identity_prefix_vals, "Unknown"), - eap_identity_prefix); + proto_tree_add_uint_format_value(eap_identity_tree, hf_eap_identity_prefix, + tvb, offset, 1, eap_identity_prefix, "%s (%u)", + val_to_str(eap_identity_prefix, eap_identity_prefix_vals, "Unknown"), + eap_identity_prefix); } if(!pinfo->fd->flags.visited) { conversation_state->leap_state = 0; @@ -1289,9 +1289,8 @@ proto_register_eap(void) NULL, HFILL }}, { &hf_eap_identity_prefix, { - "Identity", "eap.identity.prefix", - FT_STRING, BASE_NONE, NULL, 0x0, - NULL, HFILL }}, + "Identity Prefix", "eap.identity.prefix", + FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }}, { &hf_eap_identity_actual_len, { "Identity Actual Length", "eap.identity.actual_len", |