diff options
author | Björn Ruytenberg <bjorn@bjornweb.nl> | 2017-04-22 23:33:57 +0200 |
---|---|---|
committer | Michael Mann <mmann78@netscape.net> | 2017-04-23 00:29:50 +0000 |
commit | 6fdf8eb5a92d51617203be1a712c15585b156497 (patch) | |
tree | 17818779e5f635cb5b81059639e08576d97772f8 /epan | |
parent | f42b2a531e0c9cafe7d694cb1109dd53c33fdd40 (diff) |
DOF: Fix buffer overflow (read)
Perform sanity check on buffer length parsed from data. Check buffer
size before reading value.
Change-Id: I8beaf8860b39426d79867b0dd2221e57e32da8e0
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1151
Bug: 13608
Reviewed-on: https://code.wireshark.org/review/21287
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-dof.c | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/epan/dissectors/packet-dof.c b/epan/dissectors/packet-dof.c index 811ea514fa..ab48f6e9cb 100644 --- a/epan/dissectors/packet-dof.c +++ b/epan/dissectors/packet-dof.c @@ -3861,6 +3861,14 @@ typedef struct DOFObjectIDAttribute_t const guint8 *data; /**< Attribute data. **/ } DOFObjectIDAttribute; +/** +* Read variable-length value from buffer. +* +* @param maxSize [in] Maximum size of value to be read +* @param bufLength [in,out] Input: size of buffer, output: size of value in buffer +* @param buffer [in] Actual buffer +* @return Uncompressed value if buffer size is valid (or 0 on error) +*/ static guint32 OALMarshal_UncompressValue(guint8 maxSize, guint32 *bufLength, const guint8 *buffer) { guint32 value = 0; @@ -3894,6 +3902,10 @@ static guint32 OALMarshal_UncompressValue(guint8 maxSize, guint32 *bufLength, co break; } + /* Sanity check */ + if (size > *bufLength) + return 0; + value = buffer[used++] & mask; while (used < size) value = (value << 8) | buffer[used++]; @@ -3902,20 +3914,15 @@ static guint32 OALMarshal_UncompressValue(guint8 maxSize, guint32 *bufLength, co return (value); } -static guint32 DOFObjectID_GetClassSize_Bytes(const guint8 *pBytes) +static guint32 DOFObjectID_GetClassSize(DOFObjectID self) { - guint32 size = 4; + guint32 size = self->len; - (void)OALMarshal_UncompressValue(DOFOBJECTID_MAX_CLASS_SIZE, &size, pBytes); + (void)OALMarshal_UncompressValue(DOFOBJECTID_MAX_CLASS_SIZE, &size, self->oid); return size; } -static guint32 DOFObjectID_GetClassSize(DOFObjectID self) -{ - return DOFObjectID_GetClassSize_Bytes(self->oid); -} - static guint32 DOFObjectID_GetDataSize(const DOFObjectID self) { return ((*((const guint8 *)self->oid + DOFObjectID_GetClassSize(self))) & OID_DATA_LEN_MASK); |