Add record length checks.

Make sure the summary record is large enough; if not, report it as a bad file. If it's *too* large, skip the added data. Clean up the length check for the header records - use sizeof, as we later use sizeof when subtracting the fixed length portion's length. Change-Id: I70697804eaa0cbbb1fb074eadf6457d237f26876 Reviewed-on: https://code.wireshark.org/review/36814 Petri-Dish: Guy Harris <gharris@sonic.net> Tested-by: Petri Dish Buildbot Reviewed-by: Guy Harris <gharris@sonic.net>
author: Guy Harris <guy@alum.mit.edu> 2020-04-12 14:55:52 -0700
committer: Guy Harris <gharris@sonic.net> 2020-04-12 22:44:12 +0000
commit: ada1a5c770e00d087385e2ec870291d67e190959 (patch)
tree: 9e3cc74ed429c428c7a1bca3a9f4547b40bb0988 /wiretap/lanalyzer.c
parent: 1070d7b37634e419d239ab878f6759f055746f0d (diff)
1 files changed, 15 insertions, 2 deletions
diff --git a/wiretap/lanalyzer.c b/wiretap/lanalyzer.c
index 6654a1bf23..7282f503d5 100644
--- a/wiretap/lanalyzer.c
+++ b/wiretap/lanalyzer.c
@@ -294,7 +294,7 @@ wtap_open_return_val lanalyzer_open(wtap *wth, int *err, gchar **err_info)
       }
 
       /* Read the major and minor version numbers */
-      if (record_length < 2) {
+      if (record_length < sizeof header_fixed) {
             /*
              * Not enough room for the major and minor version numbers.
              * Just treat that as a "not a LANalyzer file" indication.
@@ -355,6 +355,12 @@ wtap_open_return_val lanalyzer_open(wtap *wth, int *err, gchar **err_info)
             switch (record_type) {
                   /* Trace Summary Record */
             case RT_Summary:
+                  if (record_length < sizeof summary) {
+                        *err = WTAP_ERR_BAD_FILE;
+                        *err_info = g_strdup_printf("lanalyzer: summary record length %u is too short",
+                                                    record_length);
+                        return WTAP_OPEN_ERROR;
+                  }
                   if (!wtap_read_bytes(wth->fh, summary,
                                        sizeof summary, err, err_info))
                         return WTAP_OPEN_ERROR;
@@ -406,8 +412,15 @@ wtap_open_return_val lanalyzer_open(wtap *wth, int *err, gchar **err_info)
                         *err_info = g_strdup_printf("lanalyzer: file has more than one summary record");
                         return WTAP_OPEN_ERROR;
                   }
-
                   found_summary = TRUE;
+
+                  /* Skip the rest of the record */
+                  record_length -= sizeof summary;
+                  if (record_length != 0) {
+                        if (!wtap_read_bytes(wth->fh, NULL, record_length, err, err_info)) {
+                              return WTAP_OPEN_ERROR;
+                        }
+                  }
                   break;
 
                   /* Trace Packet Data Record */
author	Guy Harris <guy@alum.mit.edu>	2020-04-12 14:55:52 -0700
committer	Guy Harris <gharris@sonic.net>	2020-04-12 22:44:12 +0000
commit	ada1a5c770e00d087385e2ec870291d67e190959 (patch)
tree	9e3cc74ed429c428c7a1bca3a9f4547b40bb0988 /wiretap/lanalyzer.c
parent	1070d7b37634e419d239ab878f6759f055746f0d (diff)