From 2fbbde780e5d5d82e31dca656217daf278cf62bb Mon Sep 17 00:00:00 2001
From: Dario Lombardo <lomato@gmail.com>
Date: Tue, 5 Mar 2019 17:25:24 +0100
Subject: [PATCH] netscaler: add more sanity checks.

Fix more crashes found in the provided bug report.

Bug: 15497
Change-Id: If84498fa879ad56c8677f8c1442a8dc0e5906003
Reviewed-on: https://code.wireshark.org/review/32333
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(cherry picked from commit 134a513dd59315d67866f238459fdee6347f1055)
Reviewed-on: https://code.wireshark.org/review/32422
(cherry picked from commit fc8367a50516e832be960a9001ccdb09ced9b27f)
Reviewed-on: https://code.wireshark.org/review/32430
Reviewed-by: Guy Harris <guy@alum.mit.edu>
---
 wiretap/netscaler.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c
index c88c082..fc350e2 100644
--- a/wiretap/netscaler.c
+++ b/wiretap/netscaler.c
@@ -653,6 +653,20 @@ static gboolean nstrace_dump(wtap_dumper *wdh, const struct wtap_pkthdr *phdr,
 #define GET_READ_PAGE_SIZE(remaining_file_size) ((gint32)((remaining_file_size>NSPR_PAGESIZE)?NSPR_PAGESIZE:remaining_file_size))
 #define GET_READ_PAGE_SIZEV3(remaining_file_size) ((gint32)((remaining_file_size>NSPR_PAGESIZE_TRACE)?NSPR_PAGESIZE_TRACE:remaining_file_size))
 
+/*
+ * Check whether we have enough room to retrieve the data in the caller.
+ * If not, we have a malformed file.
+ */
+static gboolean nstrace_ensure_buflen(nstrace_t* nstrace, guint offset, guint len, int *err, gchar** err_info)
+{
+    if (offset > nstrace->nstrace_buflen || nstrace->nstrace_buflen - offset < len) {
+        *err = WTAP_ERR_BAD_FILE;
+        *err_info = g_strdup("nstrace: malformed file");
+        return FALSE;
+    }
+    return TRUE;
+}
+
 static guint64 ns_hrtime2nsec(guint32 tm)
 {
     guint32    val = tm & NSPR_HRTIME_MASKTM;
@@ -940,6 +940,8 @@ nspm_signature_version(wtap *wth, gchar *nstrace_buf, gint32 len)
                 switch (nspr_getv##ver##recordtype(fp))\
                 {\
                     case NSPR_ABSTIME_V##ver:\
+                        if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_abstime_v##ver##_t), err, err_info))\
+                            return FALSE;\
                         ns_setabstime(nstrace, pletoh32(&((nspr_abstime_v##ver##_t *) fp)->abs_Time), pletoh16(&((nspr_abstime_v##ver##_t *) fp)->abs_RelTime));\
                         nstrace->nstrace_buf_offset = nstrace_buf_offset + nspr_getv##ver##recordsize(fp);\
                         nstrace->nstrace_buflen = nstrace_buflen;\
@@ -1330,6 +1332,8 @@ static gboolean nstrace_read_v20(wtap *wth, int *err, gchar **err_info, gint64 *
 
                 case NSPR_RELTIME_V20:
                 {
+                    if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_hd_v20_t), err, err_info))
+                        return FALSE;
                     nspr_pktracefull_v20_t *fp20 = (nspr_pktracefull_v20_t *) &nstrace_buf[nstrace_buf_offset];
                     if (nspr_getv20recordsize((nspr_hd_v20_t *)fp20) == 0) {
                         *err = WTAP_ERR_BAD_FILE;
-- 
2.7.4