diff options
author | Gerald Combs <gerald@wireshark.org> | 2000-11-19 19:23:54 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2000-11-19 19:23:54 +0000 |
commit | db1285dce68b4f8d941e7b20521194d39c6a6f68 (patch) | |
tree | ebbf916cda46184b034e9457735a56a9e30b3e1c /packet-icq.c | |
parent | 2c456a433a556d464f0f08825d7454c6326c6b89 (diff) |
Dynamically resize decr_pd in dissect_icqv5Client() in order to avoid
a possible buffer overflow on media with frame sizes greater than
1600 bytes.
According to http://www.student.nada.kth.se/~d95-mih/icq/ there isn't
an upper bound to the size of a v5 packet, so we grow dynamically to
fit what we've been handed.
svn path=/trunk/; revision=2672
Diffstat (limited to 'packet-icq.c')
-rw-r--r-- | packet-icq.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/packet-icq.c b/packet-icq.c index f4976f5bb2..1fa21a8651 100644 --- a/packet-icq.c +++ b/packet-icq.c @@ -1,7 +1,7 @@ /* packet-icq.c * Routines for ICQ packet disassembly * - * $Id: packet-icq.c,v 1.22 2000/11/19 08:53:58 guy Exp $ + * $Id: packet-icq.c,v 1.23 2000/11/19 19:23:54 gerald Exp $ * * Ethereal - Network traffic analyzer * By Johan Feyaerts @@ -2051,10 +2051,17 @@ dissect_icqv5Client(const u_char *pd, guint16 seqnum1 = 0 , seqnum2 = 0; guint32 uin = -1, sessionid = -1; guint32 key = -1; - guint16 pktsize = -1; /* The size of the ICQ content */ - u_char decr_pd[1600]; /* Decrypted content, size should be dynamic */ + guint16 pktsize = -1; /* The size of the ICQ content */ + static u_char *decr_pd = NULL; /* Decrypted content */ pktsize = END_OF_FRAME; + + if (decr_pd == NULL) + decr_pd = (u_char *) g_malloc(sizeof (u_char) * 128); + + while (sizeof(decr_pd) < pktsize + 3) + decr_pd = (u_char *) g_realloc(decr_pd, sizeof (decr_pd) * 2); + /* First copy the memory, we don't want to overwrite the old content */ memcpy(decr_pd, &pd[offset], pktsize); if (pktsize>0x14) { |