diff options
| author | Luis Ontanon <luis.ontanon@gmail.com> | 2007-08-25 14:15:56 +0000 |
|---|---|---|
| committer | Luis Ontanon <luis.ontanon@gmail.com> | 2007-08-25 14:15:56 +0000 |
| commit | 7c174c63f827576c33ca258b267987d5ad950248 (patch) | |
| tree | 8aef4d7c7a337d397db856334684bf4c83843397 /epan/oids.c | |
| parent | 1f58f3e2ec39d4190f3912aea6fa938f98adac42 (diff) | |
Initialize to zero all subids in oid_string2subid() to avoid creating bogus oids. This is aspirin for a buffer overflow somewhere in the code that reads cretificates, that dimensions a buffer probably assumung oid subids are few digits while they can actually be bigger.
Place two DISSECTOR_ASSERT() guards to avoid an (I believe impossible) buffer overflow of the ep_allocated subid array in oid_string2subid() and oid_encoded2subid().
svn path=/trunk/; revision=22656
Diffstat (limited to 'epan/oids.c')
| -rw-r--r-- | epan/oids.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/epan/oids.c b/epan/oids.c index 01c473b646..cbd655de53 100644 --- a/epan/oids.c +++ b/epan/oids.c @@ -90,7 +90,7 @@ static oid_info_t* add_oid(const char* name, oid_kind_t kind, const oid_value_ty if(n) { if (i == oid_len) { if (n->name) { - D(0,("RENAMING %s -> %s",n->name,name)); + D(2,("Renaming Oid from: %s -> %s, this menas the same oid is registered more than once",n->name,name)); g_free(n->name); } @@ -679,6 +679,7 @@ guint check_num_oid(const char* str) { guint oid_string2subid(const char* str, guint32** subids_p) { const char* r = str; guint32* subids; + guint32* subids_overflow; guint n = check_num_oid(str); D(6,("oid_string2subid: str='%s'",str)); @@ -690,8 +691,8 @@ guint oid_string2subid(const char* str, guint32** subids_p) { D(7,("\toid_string2subid: n=%d",n)); - *subids_p = subids = ep_alloc_array(guint32,n); - + *subids_p = subids = ep_alloc0(sizeof(guint32)*n); + subids_overflow = subids + n; do switch(*r) { case '.': D(7,("\toid_string2subid: subid: %p %u",subids,*subids)); @@ -699,6 +700,7 @@ guint oid_string2subid(const char* str, guint32** subids_p) { continue; case '1' : case '2' : case '3' : case '4' : case '5' : case '6' : case '7' : case '8' : case '9' : case '0' : + DISSECTOR_ASSERT(subids < subids_overflow); *(subids) *= 10; *(subids) += *r - '0'; continue; @@ -719,10 +721,12 @@ guint oid_encoded2subid(const guint8 *oid_bytes, gint oid_len, guint32** subids_ guint32 subid = 0; gboolean is_first = TRUE; guint32* subids; - + guint32* subid_overflow; + for (i=0; i<oid_len; i++) { if (! (oid_bytes[i] & 0x80 )) n++; } *subids_p = subids = ep_alloc(sizeof(guint32)*n); + subid_overflow = subids+n; for (i=0; i<oid_len; i++){ guint8 byte = oid_bytes[i]; @@ -745,6 +749,7 @@ guint oid_encoded2subid(const guint8 *oid_bytes, gint oid_len, guint32** subids_ is_first = FALSE; } + DISSECTOR_ASSERT(subids < subid_overflow); *subids++ = subid; subid = 0; } |