diff options
| author | Michael Mann <mmann78@netscape.net> | 2015-12-26 17:41:42 -0500 |
|---|---|---|
| committer | Michael Mann <mmann78@netscape.net> | 2015-12-26 23:45:15 +0000 |
| commit | d48b0eff28c995947ac3f8d842ddd9b50dd5798d (patch) | |
| tree | 5cac503381f41c737f0eb7b47c32314fb124416b /epan/dissectors/packet-mswsp.c | |
| parent | f26615456a4ec29906e71a10a19448b84de56887 (diff) | |
Sanity check column size to prevent allocating an unrealistic amount of memory.
Bug: 11931
Change-Id: I19fa2937a649382b3a2eda2c8192246e3e9d9e28
Reviewed-on: https://code.wireshark.org/review/12874
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/dissectors/packet-mswsp.c')
| -rw-r--r-- | epan/dissectors/packet-mswsp.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/epan/dissectors/packet-mswsp.c b/epan/dissectors/packet-mswsp.c index 6989500a3d..b2a240f2e1 100644 --- a/epan/dissectors/packet-mswsp.c +++ b/epan/dissectors/packet-mswsp.c @@ -337,6 +337,7 @@ static int SMB2 = 2; void proto_reg_handoff_mswsp(void); static expert_field ei_missing_msg_context = EI_INIT; +static expert_field ei_mswsp_msg_cpmsetbinding_ccolumns = EI_INIT; static int proto_mswsp = -1; static int hf_mswsp_msg = -1; @@ -5897,6 +5898,7 @@ static int dissect_CPMSetBindings(tvbuff_t *tvb, packet_info *pinfo, proto_tree proto_item *ti; proto_tree *tree, *pad_tree; guint32 size, num, n; + gint64 column_size; ti = proto_tree_add_item(parent_tree, hf_mswsp_msg, tvb, offset, -1, ENC_NA); tree = proto_item_add_subtree(ti, ett_mswsp_msg); @@ -5923,10 +5925,19 @@ static int dissect_CPMSetBindings(tvbuff_t *tvb, packet_info *pinfo, proto_tree num = tvb_get_letohl(tvb, offset); request.ccolumns = num; - proto_tree_add_item(tree, hf_mswsp_msg_cpmsetbinding_ccolumns, tvb, offset, 4, ENC_LITTLE_ENDIAN); + ti = proto_tree_add_item(tree, hf_mswsp_msg_cpmsetbinding_ccolumns, tvb, offset, 4, ENC_LITTLE_ENDIAN); offset += 4; proto_tree_add_item(tree, hf_mswsp_msg_cpmsetbinding_acolumns, tvb, offset, size-4, ENC_NA); + + /* Sanity check size value */ + column_size = num*sizeof(struct CTableColumn); + if (column_size > tvb_reported_length_remaining(tvb, offset)) + { + expert_add_info(pinfo, ti, &ei_mswsp_msg_cpmsetbinding_ccolumns); + return tvb_reported_length(tvb); + } + ct = get_create_converstation_data(pinfo); request.acolumns = (struct CTableColumn*)wmem_alloc(wmem_file_scope(), @@ -8026,7 +8037,8 @@ proto_register_mswsp(void) }; static ei_register_info ei[] = { - { &ei_missing_msg_context, { "mswsp.msg.cpmgetrows.missing_msg_context", PI_SEQUENCE, PI_WARN, "previous messages needed for context not captured", EXPFILL }} + { &ei_missing_msg_context, { "mswsp.msg.cpmgetrows.missing_msg_context", PI_SEQUENCE, PI_WARN, "previous messages needed for context not captured", EXPFILL }}, + { &ei_mswsp_msg_cpmsetbinding_ccolumns, { "mswsp.msg.cpmsetbinding.ccolumns.invalude", PI_PROTOCOL, PI_WARN, "Invalid number of cColumns for packet", EXPFILL }} }; int i; |