epan: Fix truncation of BASE_OUI labels

There's been an assumption that INT32 based fields won't need labels longer than 32 bytes, and INT64 based fields no longer than 48. Buffers are declared to hold the integer labels. These buffers are all intermediate buffers allocated on the stack and used in static functions; none of them are the final returned label, which is ITEM_LABEL_LENGTH. BASE_OUI can require 64 bytes at most for the manufacturer string (including null), plus 11 extra bytes for the "XX:XX:XX ()" part. (Service names for port numbers ought to be limited to 15 characters, https://www.rfc-editor.org/rfc/rfc6335#section-5.1 ) Define NUMBER_LABEL_LENGTH and make it 80 bytes. That's smaller than ITEM_LABEL_LENGTH (240); it could be increased to ITEM_LABEL_LENGTH without trouble if necessary; using a #define make it easier to do so. Fix #18069.
author: John Thacker <johnthacker@gmail.com> 2023-11-18 17:11:55 -0500
committer: John Thacker <johnthacker@gmail.com> 2023-11-18 23:38:07 +0000
commit: 2a482336b863b9b5acada2469906ea8fb893a09b (patch)
tree: 0b51dfd5dab45863c7fe8c5f84db1b828d34e992 /epan/proto.c
parent: 8c22a6cc0240123750347173acef964a3909da34 (diff)
1 files changed, 35 insertions, 30 deletions
diff --git a/epan/proto.c b/epan/proto.c
index 2075f8de5e..8aaae18e9c 100644
--- a/epan/proto.c
+++ b/epan/proto.c
@@ -213,6 +213,11 @@ struct ptvcursor {
 }
 #endif
 
+/* The longest NUMBER-like field label we have is for BASE_OUI, which
+ * can have up to 64 bytes for the manufacturer name if resolved plus
+ * 11 bytes for the "XX:XX:XX ()" part = 75 octets.
+ */
+#define NUMBER_LABEL_LENGTH 80
 
 static const char *hf_try_val_to_str(guint32 value, const header_field_info *hfinfo);
 static const char *hf_try_val64_to_str(guint64 value, const header_field_info *hfinfo);
@@ -240,16 +245,16 @@ static void fill_label_number64(field_info *fi, gchar *label_str, gboolean is_si
 static size_t fill_display_label_float(field_info *fi, gchar *label_str);
 static void fill_label_float(field_info *fi, gchar *label_str);
 
-static const char *hfinfo_number_value_format_display(const header_field_info *hfinfo, int display, char buf[32], guint32 value);
-static const char *hfinfo_number_value_format_display64(const header_field_info *hfinfo, int display, char buf[48], guint64 value);
+static const char *hfinfo_number_value_format_display(const header_field_info *hfinfo, int display, char buf[NUMBER_LABEL_LENGTH], guint32 value);
+static const char *hfinfo_number_value_format_display64(const header_field_info *hfinfo, int display, char buf[NUMBER_LABEL_LENGTH], guint64 value);
 static const char *hfinfo_char_vals_format(const header_field_info *hfinfo, char buf[32], guint32 value);
-static const char *hfinfo_number_vals_format(const header_field_info *hfinfo, char buf[32], guint32 value);
-static const char *hfinfo_number_vals_format64(const header_field_info *hfinfo, char buf[48], guint64 value);
-static const char *hfinfo_number_value_format(const header_field_info *hfinfo, char buf[32], guint32 value);
-static const char *hfinfo_number_value_format64(const header_field_info *hfinfo, char buf[48], guint64 value);
+static const char *hfinfo_number_vals_format(const header_field_info *hfinfo, char buf[NUMBER_LABEL_LENGTH], guint32 value);
+static const char *hfinfo_number_vals_format64(const header_field_info *hfinfo, char buf[NUMBER_LABEL_LENGTH], guint64 value);
+static const char *hfinfo_number_value_format(const header_field_info *hfinfo, char buf[NUMBER_LABEL_LENGTH], guint32 value);
+static const char *hfinfo_number_value_format64(const header_field_info *hfinfo, char buf[NUMBER_LABEL_LENGTH], guint64 value);
 static const char *hfinfo_char_value_format(const header_field_info *hfinfo, char buf[32], guint32 value);
-static const char *hfinfo_numeric_value_format(const header_field_info *hfinfo, char buf[32], guint32 value);
-static const char *hfinfo_numeric_value_format64(const header_field_info *hfinfo, char buf[48], guint64 value);
+static const char *hfinfo_numeric_value_format(const header_field_info *hfinfo, char buf[NUMBER_LABEL_LENGTH], guint32 value);
+static const char *hfinfo_numeric_value_format64(const header_field_info *hfinfo, char buf[NUMBER_LABEL_LENGTH], guint64 value);
 
 static void proto_cleanup_base(void);
 
@@ -6832,7 +6837,7 @@ proto_item_fill_display_label(field_info *finfo, gchar *display_label_str, const
 	guint32 number;
 	guint64 number64;
 	const char *hf_str_val;
-	char number_buf[48];
+	char number_buf[NUMBER_LABEL_LENGTH];
 	const char *number_out;
 	address addr;
 	const ipv4_addr_and_mask *ipv4;
@@ -10050,7 +10055,7 @@ fill_label_bitfield(field_info *fi, gchar *label_str, gboolean is_signed)
 	char       *p;
 	int         bitfield_byte_length, bitwidth;
 	guint32     value, unshifted_value;
-	char        buf[32];
+	char        buf[NUMBER_LABEL_LENGTH];
 	const char *out;
 
 	header_field_info *hfinfo = fi->hfinfo;
@@ -10125,7 +10130,7 @@ fill_label_bitfield64(field_info *fi, gchar *label_str, gboolean is_signed)
 	char       *p;
 	int         bitfield_byte_length, bitwidth;
 	guint64     value, unshifted_value;
-	char        buf[48];
+	char        buf[NUMBER_LABEL_LENGTH];
 	const char *out;
 
 	header_field_info *hfinfo = fi->hfinfo;
@@ -10233,7 +10238,7 @@ fill_label_number(field_info *fi, gchar *label_str, gboolean is_signed)
 	header_field_info *hfinfo = fi->hfinfo;
 	guint32            value;
 
-	char               buf[32];
+	char               buf[NUMBER_LABEL_LENGTH];
 	const char        *out;
 
 	if (is_signed)
@@ -10299,7 +10304,7 @@ fill_label_number64(field_info *fi, gchar *label_str, gboolean is_signed)
 	header_field_info *hfinfo = fi->hfinfo;
 	guint64            value;
 
-	char               buf[48];
+	char               buf[NUMBER_LABEL_LENGTH];
 	const char        *out;
 
 	if (is_signed)
@@ -10610,9 +10615,9 @@ hfinfo_char_value_format_display(int display, char buf[7], guint32 value)
 }
 
 static const char *
-hfinfo_number_value_format_display(const header_field_info *hfinfo, int display, char buf[32], guint32 value)
+hfinfo_number_value_format_display(const header_field_info *hfinfo, int display, char buf[NUMBER_LABEL_LENGTH], guint32 value)
 {
-	char *ptr = &buf[31];
+	char *ptr = &buf[NUMBER_LABEL_LENGTH-1];
 	gboolean isint = FT_IS_INT(hfinfo->type);
 
 	*ptr = '\0';
@@ -10647,7 +10652,7 @@ hfinfo_number_value_format_display(const header_field_info *hfinfo, int display,
 		case BASE_PT_TCP:
 		case BASE_PT_DCCP:
 		case BASE_PT_SCTP:
-			port_with_resolution_to_str_buf(buf, 32,
+			port_with_resolution_to_str_buf(buf, NUMBER_LABEL_LENGTH,
 					display_to_port_type((field_display_e)display), value);
 			return buf;
 		case BASE_OUI:
@@ -10663,11 +10668,11 @@ hfinfo_number_value_format_display(const header_field_info *hfinfo, int display,
 			manuf_name = uint_get_manuf_name_if_known(value);
 			if (manuf_name == NULL) {
 				/* Could not find an OUI. */
-				snprintf(buf, 32, "%02x:%02x:%02x", p_oui[0], p_oui[1], p_oui[2]);
+				snprintf(buf, NUMBER_LABEL_LENGTH, "%02x:%02x:%02x", p_oui[0], p_oui[1], p_oui[2]);
 			}
 			else {
 				/* Found an address string. */
-				snprintf(buf, 32, "%02x:%02x:%02x (%s)", p_oui[0], p_oui[1], p_oui[2], manuf_name);
+				snprintf(buf, NUMBER_LABEL_LENGTH, "%02x:%02x:%02x (%s)", p_oui[0], p_oui[1], p_oui[2], manuf_name);
 			}
 			return buf;
 			}
@@ -10679,9 +10684,9 @@ hfinfo_number_value_format_display(const header_field_info *hfinfo, int display,
 }
 
 static const char *
-hfinfo_number_value_format_display64(const header_field_info *hfinfo, int display, char buf[48], guint64 value)
+hfinfo_number_value_format_display64(const header_field_info *hfinfo, int display, char buf[NUMBER_LABEL_LENGTH], guint64 value)
 {
-	char *ptr = &buf[47];
+	char *ptr = &buf[NUMBER_LABEL_LENGTH-1];
 	gboolean isint = FT_IS_INT(hfinfo->type);
 
 	*ptr = '\0';
@@ -10720,7 +10725,7 @@ hfinfo_number_value_format_display64(const header_field_info *hfinfo, int displa
 }
 
 static const char *
-hfinfo_number_value_format(const header_field_info *hfinfo, char buf[32], guint32 value)
+hfinfo_number_value_format(const header_field_info *hfinfo, char buf[NUMBER_LABEL_LENGTH], guint32 value)
 {
 	int display = hfinfo->display;
 
@@ -10735,7 +10740,7 @@ hfinfo_number_value_format(const header_field_info *hfinfo, char buf[32], guint3
 }
 
 static const char *
-hfinfo_number_value_format64(const header_field_info *hfinfo, char buf[48], guint64 value)
+hfinfo_number_value_format64(const header_field_info *hfinfo, char buf[NUMBER_LABEL_LENGTH], guint64 value)
 {
 	int display = hfinfo->display;
 
@@ -10759,7 +10764,7 @@ hfinfo_char_value_format(const header_field_info *hfinfo, char buf[32], guint32
 }
 
 static const char *
-hfinfo_numeric_value_format(const header_field_info *hfinfo, char buf[32], guint32 value)
+hfinfo_numeric_value_format(const header_field_info *hfinfo, char buf[NUMBER_LABEL_LENGTH], guint32 value)
 {
 	/* Get the underlying BASE_ value */
 	int display = FIELD_DISPLAY(hfinfo->display);
@@ -10796,7 +10801,7 @@ hfinfo_numeric_value_format(const header_field_info *hfinfo, char buf[32], guint
 }
 
 static const char *
-hfinfo_numeric_value_format64(const header_field_info *hfinfo, char buf[48], guint64 value)
+hfinfo_numeric_value_format64(const header_field_info *hfinfo, char buf[NUMBER_LABEL_LENGTH], guint64 value)
 {
 	/* Get the underlying BASE_ value */
 	int display = FIELD_DISPLAY(hfinfo->display);
@@ -10836,7 +10841,7 @@ hfinfo_char_vals_format(const header_field_info *hfinfo, char buf[32], guint32 v
 }
 
 static const char *
-hfinfo_number_vals_format(const header_field_info *hfinfo, char buf[32], guint32 value)
+hfinfo_number_vals_format(const header_field_info *hfinfo, char buf[NUMBER_LABEL_LENGTH], guint32 value)
 {
 	/* Get the underlying BASE_ value */
 	int display = FIELD_DISPLAY(hfinfo->display);
@@ -10853,7 +10858,7 @@ hfinfo_number_vals_format(const header_field_info *hfinfo, char buf[32], guint32
 }
 
 static const char *
-hfinfo_number_vals_format64(const header_field_info *hfinfo, char buf[48], guint64 value)
+hfinfo_number_vals_format64(const header_field_info *hfinfo, char buf[NUMBER_LABEL_LENGTH], guint64 value)
 {
 	/* Get the underlying BASE_ value */
 	int display = FIELD_DISPLAY(hfinfo->display);
@@ -12258,7 +12263,7 @@ proto_item_add_bitmask_tree(proto_item *item, tvbuff_t *tvb, const int offset,
 				first = FALSE;
 			}
 			else if (!(flags & BMT_NO_INT)) {
-				char buf[32];
+				char buf[NUMBER_LABEL_LENGTH];
 				const char *out = NULL;
 
 				if (!first) {
@@ -12305,7 +12310,7 @@ proto_item_add_bitmask_tree(proto_item *item, tvbuff_t *tvb, const int offset,
 				first = FALSE;
 			}
 			else if (!(flags & BMT_NO_INT)) {
-				char buf[32];
+				char buf[NUMBER_LABEL_LENGTH];
 				const char *out = NULL;
 
 				if (!first) {
@@ -12347,7 +12352,7 @@ proto_item_add_bitmask_tree(proto_item *item, tvbuff_t *tvb, const int offset,
 				first = FALSE;
 			}
 			else if (!(flags & BMT_NO_INT)) {
-				char buf[48];
+				char buf[NUMBER_LABEL_LENGTH];
 				const char *out = NULL;
 
 				if (!first) {
@@ -12393,7 +12398,7 @@ proto_item_add_bitmask_tree(proto_item *item, tvbuff_t *tvb, const int offset,
 				first = FALSE;
 			}
 			else if (!(flags & BMT_NO_INT)) {
-				char buf[48];
+				char buf[NUMBER_LABEL_LENGTH];
 				const char *out = NULL;
 
 				if (!first) {
author	John Thacker <johnthacker@gmail.com>	2023-11-18 17:11:55 -0500
committer	John Thacker <johnthacker@gmail.com>	2023-11-18 23:38:07 +0000
commit	2a482336b863b9b5acada2469906ea8fb893a09b (patch)
tree	0b51dfd5dab45863c7fe8c5f84db1b828d34e992 /epan/proto.c
parent	8c22a6cc0240123750347173acef964a3909da34 (diff)