From 09e787a8fb4a1a04366e57c059c4997abcd9183e Mon Sep 17 00:00:00 2001 From: Michael Mann Date: Thu, 20 Apr 2017 13:05:52 -0400 Subject: sigcomp: Shift operand should be limited to 16 bits Change-Id: I5a6fbcacf874962c361e68fef7402dc775aca658 Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1154 Bug: 13610 Reviewed-on: https://code.wireshark.org/review/21250 Petri-Dish: Michael Mann Reviewed-by: Michael Mann --- epan/dissectors/packet-sigcomp.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'epan/dissectors/packet-sigcomp.c') diff --git a/epan/dissectors/packet-sigcomp.c b/epan/dissectors/packet-sigcomp.c index 52bda8e283..d5bb66d050 100644 --- a/epan/dissectors/packet-sigcomp.c +++ b/epan/dissectors/packet-sigcomp.c @@ -159,6 +159,7 @@ static gint ett_raw_text = -1; static expert_field ei_sigcomp_nack_failed_op_code = EI_INIT; static expert_field ei_sigcomp_invalid_instruction = EI_INIT; +static expert_field ei_sigcomp_invalid_shift_value = EI_INIT; /* Generated from convert_proto_tree_add_text.pl */ static expert_field ei_sigcomp_tcp_fragment = EI_INIT; static expert_field ei_sigcomp_decompression_failure = EI_INIT; @@ -1785,7 +1786,7 @@ decompress_sigcomp_message(tvbuff_t *bytecode_tvb, tvbuff_t *message_tvb, packet guint8 *sha1buff; unsigned char sha1_digest_buf[STATE_BUFFER_SIZE]; gcry_md_hd_t sha1_handle; - proto_item *addr_item = NULL; + proto_item *addr_item = NULL, *ti = NULL; /* UDVM operand variables */ @@ -2114,9 +2115,13 @@ execute_next_instruction: /* %operand_2*/ next_operand_address = decode_udvm_multitype_operand(buff, operand_address, &operand_2); if (show_instr_detail_level == 2 ) { - proto_tree_add_uint_format(udvm_tree, hf_udvm_operand_2, bytecode_tvb, offset, (next_operand_address-operand_address), operand_2, + ti = proto_tree_add_uint_format(udvm_tree, hf_udvm_operand_2, bytecode_tvb, offset, (next_operand_address-operand_address), operand_2, "Addr: %u operand_2 %u", operand_address, operand_2); } + if (operand_2 > 15) { + expert_add_info(pinfo, ti, &ei_sigcomp_invalid_shift_value); + break; + } offset += (next_operand_address-operand_address); if (show_instr_detail_level == 1) { @@ -2157,9 +2162,13 @@ execute_next_instruction: /* %operand_2*/ next_operand_address = decode_udvm_multitype_operand(buff, operand_address, &operand_2); if (show_instr_detail_level == 2 ) { - proto_tree_add_uint_format(udvm_tree, hf_udvm_operand_2, bytecode_tvb, offset, (next_operand_address-operand_address), operand_2, + ti = proto_tree_add_uint_format(udvm_tree, hf_udvm_operand_2, bytecode_tvb, offset, (next_operand_address-operand_address), operand_2, "Addr: %u operand_2 %u", operand_address, operand_2); } + if (operand_2 > 15) { + expert_add_info(pinfo, ti, &ei_sigcomp_invalid_shift_value); + break; + } offset += (next_operand_address-operand_address); if (show_instr_detail_level == 1) { @@ -6670,6 +6679,7 @@ proto_register_sigcomp(void) static ei_register_info ei[] = { { &ei_sigcomp_nack_failed_op_code, { "sigcomp.nack.failed_op_code.expert", PI_SEQUENCE, PI_WARN, "SigComp NACK", EXPFILL }}, { &ei_sigcomp_invalid_instruction, { "sigcomp.invalid_instruction", PI_PROTOCOL, PI_WARN, "Invalid instruction", EXPFILL }}, + { &ei_sigcomp_invalid_shift_value, { "sigcomp.invalid_shift_value", PI_PROTOCOL, PI_WARN, "Invalid shift value", EXPFILL }}, /* Generated from convert_proto_tree_add_text.pl */ { &ei_sigcomp_sigcomp_message_decompression_failure, { "sigcomp.message_decompression_failure", PI_PROTOCOL, PI_WARN, "SigComp message Decompression failure", EXPFILL }}, { &ei_sigcomp_execution_of_this_instruction_is_not_implemented, { "sigcomp.execution_of_this_instruction_is_not_implemented", PI_UNDECODED, PI_WARN, "Execution of this instruction is NOT implemented", EXPFILL }}, -- cgit v1.2.3