We can't check the length of an SHB until we determine the byte order.

Don't check a possibly-byte-swapped length against the minimum SHB size; it'll probably look huge if it's byte-swapped, so the test won't fail even if it is too small, and a really huge SHB's length could look too small if it's byte-swapped. Do the check *after* we've read the fixed-length portion of the block; yes, that means we've read past the purported size of the block at that point, but if that read succeeds, that doesn't matter, and if that read fails, it just means we'll report "file cut short" rather than "bad SHB length", *both* of which are problems with the file. Change-Id: Ie3b5700662f2a6da40d373a84f00a8fc2cf0ce1b Reviewed-on: https://code.wireshark.org/review/4692 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-14 16:53:03 -07:00 · 2014-10-14 16:53:03 -07:00 · 0ac9449442
parent 44204614e8
commit 0ac9449442
1 changed files with 16 additions and 16 deletions
--- a/wiretap/pcapng.c
+++ b/wiretap/pcapng.c
@ -503,22 +503,7 @@ pcapng_read_section_header_block(FILE_T fh, gboolean first_block,
    pcapng_option_header_t oh;
    char *option_content = NULL; /* Allocate as large as the options block */

-    /*
-     * Is this block long enough to be an SHB?
-     */
-    if (bh->block_total_length < MIN_SHB_SIZE) {
-        /*
-         * No.
-         */
-        if (first_block)
-            return -2;       /* probably not a pcap-ng file */
-        *err = WTAP_ERR_BAD_FILE;
-        *err_info = g_strdup_printf("pcapng_read_section_header_block: total block length %u of an SHB is less than the minimum SHB size %u",
-                                    bh->block_total_length, MIN_SHB_SIZE);
-        return -1;
-    }
-
-    /* read block content */
+    /* read fixed-length part of the block */
    if (!wtap_read_bytes(fh, &shb, sizeof shb, err, err_info)) {
        if (*err == WTAP_ERR_SHORT_READ) {
            if (first_block) {
@ -571,6 +556,21 @@ pcapng_read_section_header_block(FILE_T fh, gboolean first_block,
            return -1;
    }

+    /*
+     * Is this block long enough to be an SHB?
+     */
+    if (bh->block_total_length < MIN_SHB_SIZE) {
+        /*
+         * No.
+         */
+        if (first_block)
+            return -2;       /* probably not a pcap-ng file */
+        *err = WTAP_ERR_BAD_FILE;
+        *err_info = g_strdup_printf("pcapng_read_section_header_block: total block length %u of an SHB is less than the minimum SHB size %u",
+                                    bh->block_total_length, MIN_SHB_SIZE);
+        return -1;
+    }
+
    /* OK, at this point we assume it's a pcap-ng file.

       Don't try to allocate memory for a huge number of options, as