49 lines
2.0 KiB
Diff
49 lines
2.0 KiB
Diff
From 3cd5ac36e20d56a43e002b926aec3b99488c85a1 Mon Sep 17 00:00:00 2001
|
|
From: Dario Lombardo <lomato@gmail.com>
|
|
Date: Sat, 26 Jan 2019 17:10:53 +0100
|
|
Subject: [PATCH] BER: don't use invalid time offsets.
|
|
|
|
4 digits values could overflow the destination buffer. Skip them
|
|
since they're invalid and can only from tainted data.
|
|
|
|
Bug: 15447
|
|
Change-Id: Ice6d4f144597499483160ecaa63702025ab86f61
|
|
Reviewed-on: https://code.wireshark.org/review/31751
|
|
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
|
|
Tested-by: Petri Dish Buildbot
|
|
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
---
|
|
epan/dissectors/packet-ber.c | 8 +++++---
|
|
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/epan/dissectors/packet-ber.c b/epan/dissectors/packet-ber.c
|
|
index 93291d2..925d4c1 100644
|
|
--- a/epan/dissectors/packet-ber.c
|
|
+++ b/epan/dissectors/packet-ber.c
|
|
@@ -3658,7 +3658,7 @@ dissect_ber_GeneralizedTime(gboolean implicit_tag, asn1_ctx_t *actx, proto_tree
|
|
|
|
first_delim[0] = 0;
|
|
second_delim[0] = 0;
|
|
- ret = sscanf( tmpstr, "%14d%1[.,+-Z]%4d%1[+-Z]%4d", &tmp_int, first_delim, &first_digits, second_delim, &second_digits);
|
|
+ ret = sscanf(tmpstr, "%14d%1[.,+-Z]%4d%1[+-Z]%4d", &tmp_int, first_delim, &first_digits, second_delim, &second_digits);
|
|
/* tmp_int does not contain valid value because of overflow but we use it just for format checking */
|
|
if (ret < 1) {
|
|
/* Nothing matched */
|
|
@@ -3684,9 +3684,11 @@ dissect_ber_GeneralizedTime(gboolean implicit_tag, asn1_ctx_t *actx, proto_tree
|
|
/*
|
|
* Fraction of a minute or an hour.
|
|
*/
|
|
- if (ret == 2) {
|
|
+ if (ret == 2 || first_digits < 0 || first_digits > 999) {
|
|
/*
|
|
- * We saw the decimal sign, but didn't see the fraction.
|
|
+ * We saw the decimal sign, but didn't see the fraction
|
|
+ * or
|
|
+ * we got a number outside the valid range.
|
|
*/
|
|
goto invalid;
|
|
}
|
|
--
|
|
1.7.12.4
|
|
|