49 lines
1.8 KiB
Diff
49 lines
1.8 KiB
Diff
From 1921740b0bf561941e0906884757831bde989add Mon Sep 17 00:00:00 2001
|
|
From: John Thacker <johnthacker@gmail.com>
|
|
Date: Wed, 6 Sep 2023 06:13:23 -0400
|
|
Subject: [PATCH] RTPS: Check for signed overflow
|
|
|
|
Origin: https://gitlab.com/wireshark/wireshark/-/commit/1921740b0bf561941e0906884757831bde989add
|
|
|
|
The offset is a signed integer, and we use negative offsets
|
|
to mean "offset counting from the end of the tvb." That means
|
|
that we can still have an excessive loop without unsigned overflow
|
|
or running off the end of the tvb, if the result of adding a large
|
|
unsigned integer to the offset results in a small negative number.
|
|
|
|
Just check if the result of the addition makes the offset move
|
|
backwards.
|
|
|
|
Fix #19322
|
|
|
|
(backported from commit 0de07f8fe4f8e06da9084485e64a24c8f85a20f4)
|
|
---
|
|
epan/dissectors/packet-rtps.c | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c
|
|
index 82ac8f9436b..c152d50dfc6 100644
|
|
--- a/epan/dissectors/packet-rtps.c
|
|
+++ b/epan/dissectors/packet-rtps.c
|
|
@@ -2474,13 +2474,14 @@ static const fragment_items rtps_frag_items = {
|
|
"RTPS fragments"
|
|
};
|
|
|
|
-static guint32 check_offset_addition(guint32 offset, guint32 value, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
|
|
+static gint check_offset_addition(gint offset, guint32 value, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb)
|
|
{
|
|
- if (offset > G_MAXUINT32 - value) {
|
|
+ gint new_offset = offset + (gint)value;
|
|
+ if (new_offset < offset) {
|
|
proto_tree_add_expert_format(tree, pinfo, &ei_rtps_value_too_large, tvb, 0, 0, "Offset value too large: %u", value);
|
|
THROW(ReportedBoundsError);
|
|
}
|
|
- return offset + value;
|
|
+ return new_offset;
|
|
}
|
|
|
|
static void rtps_util_dissect_parameter_header(tvbuff_t * tvb, gint * offset,
|
|
--
|
|
GitLab
|
|
|