diff options
author | Pascal Quantin <pascal.quantin@gmail.com> | 2017-06-19 17:42:13 +0200 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2017-06-19 23:46:03 +0000 |
commit | 29007051743551c4156e2fe9f3f5b358fcf907e1 (patch) | |
tree | 52597d4d19c649b305cbf806b053ff76dae6150e /epan | |
parent | fbfb87a2439dd18f2318586b8e5a2f6db410ba6a (diff) |
X11: more sanity checks for BIG-REQUESTS messages
Check that we do not have any overflow when converting words to bytes
Bug: 13810
Change-Id: I43604f7bab427fc542c281e386ab9b994338366d
Reviewed-on: https://code.wireshark.org/review/22227
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-x11.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/epan/dissectors/packet-x11.c b/epan/dissectors/packet-x11.c index 631bc9ed61..0b0fb73287 100644 --- a/epan/dissectors/packet-x11.c +++ b/epan/dissectors/packet-x11.c @@ -3503,7 +3503,10 @@ static void dissect_x11_request(tvbuff_t *tvb, packet_info *pinfo, if (length == 0) { /* BIG-REQUESTS extension */ - length = tvb_get_guint32(tvb, query_ext_offset, byte_order) * 4; + length = tvb_get_guint32(tvb, query_ext_offset, byte_order); + if ((gint64)length * 4 > G_MAXINT32) + return; + length *= 4; query_ext_offset += 4; } @@ -4851,7 +4854,7 @@ static void dissect_x11_requests(tvbuff_t *tvb, packet_info *pinfo, int length_remaining; volatile guint byte_order; guint8 opcode; - volatile int plen; + volatile gint plen; proto_item *ti; volatile gboolean is_initial_creq; guint16 auth_proto_len, auth_data_len; @@ -5013,6 +5016,7 @@ static void dissect_x11_requests(tvbuff_t *tvb, packet_info *pinfo, plen = 12 + ROUND_LENGTH(auth_proto_len) + ROUND_LENGTH(auth_data_len); } else { + gint64 tmp = (gint64)plen * 4; /* * This is probably an ordinary request. */ @@ -5021,7 +5025,12 @@ static void dissect_x11_requests(tvbuff_t *tvb, packet_info *pinfo, /* * The length of a request is in 4-byte words. */ - plen *= 4; + if (tmp > G_MAXINT32) { + ti = proto_tree_add_item(tree, proto_x11, tvb, offset, -1, ENC_NA); + expert_add_info_format(pinfo, ti, &ei_x11_request_length, "Bogus request length (%"G_GINT64_MODIFIER"d)", tmp); + return; + } + plen = (gint)tmp; } /* |