diff options
author | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2013-07-18 23:34:48 +0000 |
---|---|---|
committer | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2013-07-18 23:34:48 +0000 |
commit | 23d9a348a1fea58e1e0ab160703401ca8f990f19 (patch) | |
tree | f50804d30df9bcbef217e70790d103bec9a376cb /epan/dissectors/packet-ntlmssp.c | |
parent | a0606ce0b2c6fc49c433e10c547ff41b03bea73c (diff) |
Fix the fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8941 :
Storing 2 different structures on the fd proto_data (with the same key) isn't
safe: use different keys to keep them separate. I do wonder if both are
really necessary...
This fix can be back-ported to trunk-1.10 but not trunk-1.8 (which lacks the
key identifier for proto_data's).
svn path=/trunk/; revision=50734
Diffstat (limited to 'epan/dissectors/packet-ntlmssp.c')
-rw-r--r-- | epan/dissectors/packet-ntlmssp.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c index b99ba3ae05..da8bd38467 100644 --- a/epan/dissectors/packet-ntlmssp.c +++ b/epan/dissectors/packet-ntlmssp.c @@ -273,6 +273,7 @@ typedef struct _ntlmssp_blob { guint8 contents[MAX_BLOB_SIZE]; } ntlmssp_blob; +#define NTLMSSP_CONV_INFO_KEY 0 /* Used in the conversation function */ typedef struct _ntlmssp_info { guint32 flags; @@ -289,6 +290,7 @@ typedef struct _ntlmssp_info { ntlmssp_blob lm_response; } ntlmssp_info; +#define NTLMSSP_PACKET_INFO_KEY 1 /* If this struct exists in the payload_decrypt, then we have already decrypted it once */ typedef struct _ntlmssp_packet_info { @@ -1631,7 +1633,7 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset, * - has the AUTHENTICATE message in a second TCP connection; * (The authentication aparently succeeded). */ - conv_ntlmssp_info = (ntlmssp_info *)p_get_proto_data(pinfo->fd, proto_ntlmssp, 0); + conv_ntlmssp_info = (ntlmssp_info *)p_get_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_CONV_INFO_KEY); if (conv_ntlmssp_info == NULL) { /* * There isn't any. Is there any from this conversation? If so, @@ -1650,7 +1652,7 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset, /* XXX: The *conv_ntlmssp_info struct attached to the frame is the same as the one attached to the conversation. That is: *both* point to the exact same struct in memory. Is this what is indended ? */ - p_add_proto_data(pinfo->fd, proto_ntlmssp, 0, conv_ntlmssp_info); + p_add_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_CONV_INFO_KEY, conv_ntlmssp_info); } if (conv_ntlmssp_info != NULL) { @@ -1999,11 +2001,11 @@ decrypt_data_payload(tvbuff_t *tvb, int offset, guint32 encrypted_block_length, ntlmssp_packet_info *stored_packet_ntlmssp_info = NULL; /* Check to see if we already have state for this packet */ - packet_ntlmssp_info = (ntlmssp_packet_info *)p_get_proto_data(pinfo->fd, proto_ntlmssp, 0); + packet_ntlmssp_info = (ntlmssp_packet_info *)p_get_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_PACKET_INFO_KEY); if (packet_ntlmssp_info == NULL) { /* We don't have any packet state, so create one */ packet_ntlmssp_info = se_new0(ntlmssp_packet_info); - p_add_proto_data(pinfo->fd, proto_ntlmssp, 0, packet_ntlmssp_info); + p_add_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_PACKET_INFO_KEY, packet_ntlmssp_info); } if (!packet_ntlmssp_info->payload_decrypted) { conversation_t *conversation; @@ -2223,7 +2225,7 @@ decrypt_verifier(tvbuff_t *tvb, int offset, guint32 encrypted_block_length, int sequence = 0; ntlmssp_packet_info *stored_packet_ntlmssp_info = NULL; - packet_ntlmssp_info = (ntlmssp_packet_info *)p_get_proto_data(pinfo->fd, proto_ntlmssp, 0); + packet_ntlmssp_info = (ntlmssp_packet_info *)p_get_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_PACKET_INFO_KEY); if (packet_ntlmssp_info == NULL) { /* We don't have data for this packet */ return; @@ -2535,11 +2537,11 @@ dissect_ntlmssp_encrypted_payload(tvbuff_t *data_tvb, fprintf(stderr, "Called dissect_ntlmssp_encrypted_payload\n"); /* Check to see if we already have state for this packet */ - packet_ntlmssp_info = p_get_proto_data(pinfo->fd, proto_ntlmssp, 0); + packet_ntlmssp_info = p_get_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_PACKET_INFO_KEY); if (packet_ntlmssp_info == NULL) { /* We don't have any packet state, so create one */ - packet_ntlmssp_info = se_alloc0(sizeof(ntlmssp_packet_info)); - p_add_proto_data(pinfo->fd, proto_ntlmssp, packet_ntlmssp_info); + packet_ntlmssp_info = se_new0(ntlmssp_packet_info); + p_add_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_PACKET_INFO_KEY, packet_ntlmssp_info); } if (!packet_ntlmssp_info->payload_decrypted) { |