From 3cd5ac36e20d56a43e002b926aec3b99488c85a1 Mon Sep 17 00:00:00 2001 From: Dario Lombardo Date: Sat, 26 Jan 2019 17:10:53 +0100 Subject: [PATCH] BER: don't use invalid time offsets. 4 digits values could overflow the destination buffer. Skip them since they're invalid and can only from tainted data. Bug: 15447 Change-Id: Ice6d4f144597499483160ecaa63702025ab86f61 Reviewed-on: https://code.wireshark.org/review/31751 Petri-Dish: Peter Wu Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu --- epan/dissectors/packet-ber.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/epan/dissectors/packet-ber.c b/epan/dissectors/packet-ber.c index 93291d2..925d4c1 100644 --- a/epan/dissectors/packet-ber.c +++ b/epan/dissectors/packet-ber.c @@ -3658,7 +3658,7 @@ dissect_ber_GeneralizedTime(gboolean implicit_tag, asn1_ctx_t *actx, proto_tree first_delim[0] = 0; second_delim[0] = 0; - ret = sscanf( tmpstr, "%14d%1[.,+-Z]%4d%1[+-Z]%4d", &tmp_int, first_delim, &first_digits, second_delim, &second_digits); + ret = sscanf(tmpstr, "%14d%1[.,+-Z]%4d%1[+-Z]%4d", &tmp_int, first_delim, &first_digits, second_delim, &second_digits); /* tmp_int does not contain valid value because of overflow but we use it just for format checking */ if (ret < 1) { /* Nothing matched */ @@ -3684,9 +3684,11 @@ dissect_ber_GeneralizedTime(gboolean implicit_tag, asn1_ctx_t *actx, proto_tree /* * Fraction of a minute or an hour. */ - if (ret == 2) { + if (ret == 2 || first_digits < 0 || first_digits > 999) { /* - * We saw the decimal sign, but didn't see the fraction. + * We saw the decimal sign, but didn't see the fraction + * or + * we got a number outside the valid range. */ goto invalid; } -- 1.7.12.4