packages/wireshark
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
wireshark/wireshark-CVE-2018-19622.patch
gu-gu-gu 2cdf36b8a8 wireshark:openEuler init
2019-12-02 20:44:06 +08:00

72 lines
2.5 KiB
Diff
Raw Blame History

From 1ddaf1a0944ffe95d69717ac9fdc60824932f676 Mon Sep 17 00:00:00 2001
From: Jeff Morriss <jeff.morriss.ws@gmail.com>
Date: Fri, 9 Nov 2018 15:16:35 -0500
Subject: [PATCH] MMSE: catch length overflows to avoid infinite loop.
After fetching a length from the packet ensure those bytes exist to
avoid integer overflows by callers (while avoiding having to ensure
every caller checks for overflows).
Also add a check to ensure the loop in question is progressing through
the TVB; report a dissector bug if it doesn't.
Bug: 15250
Change-Id: I9434bfe9d530942fd45342690383df2decacdba1
Reviewed-on: https://code.wireshark.org/review/30560
Petri-Dish: Jeff Morriss <jeff.morriss.ws@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
epan/dissectors/packet-mmse.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/epan/dissectors/packet-mmse.c b/epan/dissectors/packet-mmse.c
index ffb4faa..1e3d13a 100644
--- a/epan/dissectors/packet-mmse.c
+++ b/epan/dissectors/packet-mmse.c
@@ -487,6 +487,12 @@ get_value_length(tvbuff_t *tvb, guint offset, guint *byte_count, packet_info *pi
field = tvb_get_guintvar(tvb, offset, byte_count, pinfo, &ei_mmse_oversized_uintvar);
(*byte_count)++;
}
+
+ /* The packet says there are this many bytes; ensure they're there.
+ * We do this here because several callers do math on the length we
+ * return here and may not catch an overflow.
+ */
+ tvb_ensure_bytes_exist(tvb, offset, field);
return field;
}
@@ -689,7 +695,7 @@ static void
dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
const char *message_type)
{
- guint offset;
+ guint offset, old_offset;
guint8 field = 0;
const char *strval;
guint length;
@@ -711,6 +717,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
proto_tree_add_uint(mmse_tree, hf_mmse_message_type, tvb, 0, 2, pdut);
offset = 2; /* Skip Message-Type */
+ old_offset = 1;
/*
* Cycle through MMS-headers
@@ -1209,6 +1216,11 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
break;
}
DebugLog(("\tEnd(case)\n"));
+
+ if (offset <= old_offset) {
+ REPORT_DISSECTOR_BUG("Offset isn't increasing (offset=%u, old offset=%u)", offset, old_offset);
+ }
+ old_offset = offset;
}
DebugLog(("\tEnd(switch)\n"));
--
1.7.12.4
Reference in New Issue View Git Blame Copy Permalink