71 lines
2.5 KiB
Diff
71 lines
2.5 KiB
Diff
From b7a0650e061b5418ab4a8f72c6e4b00317aff623 Mon Sep 17 00:00:00 2001
|
|
From: Gerald Combs <gerald@wireshark.org>
|
|
Date: Mon, 19 Apr 2021 10:39:01 -0700
|
|
Subject: [PATCH] MS-WSP: Don't allocate huge amounts of memory.
|
|
|
|
Add a couple of memory allocation sanity checks, one of which
|
|
fixes #17331.
|
|
---
|
|
epan/dissectors/packet-mswsp.c | 18 +++++++++---------
|
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/epan/dissectors/packet-mswsp.c b/epan/dissectors/packet-mswsp.c
|
|
index 37ad06c2b2..38bcefd072 100644
|
|
--- a/epan/dissectors/packet-mswsp.c
|
|
+++ b/epan/dissectors/packet-mswsp.c
|
|
@@ -313,8 +313,10 @@ struct CTableColumn {
|
|
guint16 lengthoffset;
|
|
char name[PROP_LENGTH];
|
|
};
|
|
-/* minimum size in bytes on the wire CTableColumn can be */
|
|
+/* Minimum size in bytes on the wire CTableColumn can be */
|
|
#define MIN_CTABLECOL_SIZE 32
|
|
+/* Maximum sane size in bytes on the wire CTableColumn can be. Arbitrary. */
|
|
+#define MAX_CTABLECOL_SIZE 5000
|
|
|
|
/* 2.2.3.10 */
|
|
|
|
@@ -3973,6 +3975,8 @@ static int vvalue_tvb_lpwstr(tvbuff_t *tvb, int offset, void *val)
|
|
return 4 + vvalue_tvb_lpwstr_len(tvb, offset + 4, 0, val);
|
|
}
|
|
|
|
+/* Maximum sane vector size. Arbitrary. */
|
|
+#define MAX_VT_VECTOR_SIZE 5000
|
|
static int vvalue_tvb_vector_internal(tvbuff_t *tvb, int offset, struct vt_vector *val, struct vtype_data *type, guint num)
|
|
{
|
|
const int offset_in = offset;
|
|
@@ -3987,18 +3991,14 @@ static int vvalue_tvb_vector_internal(tvbuff_t *tvb, int offset, struct vt_vecto
|
|
* here, before making a possibly-doomed attempt to allocate
|
|
* memory for it.
|
|
*
|
|
- * First, check for an overflow.
|
|
+ * First, check for sane values.
|
|
*/
|
|
- if ((guint64)elsize * (guint64)num > G_MAXUINT) {
|
|
- /*
|
|
- * We never have more than G_MAXUINT bytes in a tvbuff,
|
|
- * so this will *definitely* fail.
|
|
- */
|
|
+ if (num > MAX_VT_VECTOR_SIZE) {
|
|
THROW(ReportedBoundsError);
|
|
}
|
|
|
|
/*
|
|
- * No overflow; now make sure we at least have that data.
|
|
+ * No huge numbers from the wire; now make sure we at least have that data.
|
|
*/
|
|
tvb_ensure_bytes_exist(tvb, offset, elsize * num);
|
|
|
|
@@ -5859,7 +5859,7 @@ static int dissect_CPMSetBindings(tvbuff_t *tvb, packet_info *pinfo, proto_tree
|
|
|
|
/* Sanity check size value */
|
|
column_size = num*MIN_CTABLECOL_SIZE;
|
|
- if (column_size > tvb_reported_length_remaining(tvb, offset))
|
|
+ if (num > MAX_CTABLECOL_SIZE || column_size > tvb_reported_length_remaining(tvb, offset))
|
|
{
|
|
expert_add_info(pinfo, ti, &ei_mswsp_msg_cpmsetbinding_ccolumns);
|
|
return tvb_reported_length(tvb);
|
|
--
|
|
GitLab
|
|
|