osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

Fixed an ep_ buffer overflow (off by one) in oid_subid2string() 

Abort on integer overflow in oid_string2subid() and oid_encoded2subid()





svn path=/trunk/; revision=22688
This commit is contained in:
Luis Ontanon 2007-08-27 19:14:30 +00:00
parent 49dbf60a03
commit 1b760a7ae5
1 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
epan/oids.c
View File

@ -686,7 +686,7 @@ void oids_init(void) {
} }
const char* oid_subid2string(guint32* subids, guint len) { const char* oid_subid2string(guint32* subids, guint len) {
char* s = ep_alloc0(len*11); char* s = ep_alloc0(((len)*11)+1);
char* w = s; char* w = s;
DISSECTOR_ASSERT(subids); DISSECTOR_ASSERT(subids);
@ -695,7 +695,7 @@ const char* oid_subid2string(guint32* subids, guint len) {
w += sprintf(w,"%u.",*subids++); w += sprintf(w,"%u.",*subids++);
} while(--len); } while(--len);
if (w!=s) *(w-1) = '\0'; else *(w) = '\0'; if (w!=s) *(w-1) = '\0'; else *(s) = '\0';
return s; return s;
} }
@ -735,6 +735,11 @@ guint oid_string2subid(const char* str, guint32** subids_p) {
guint32* subids; guint32* subids;
guint32* subids_overflow; guint32* subids_overflow;
guint n = check_num_oid(str); guint n = check_num_oid(str);
/*
* we cannot handle sub-ids greater than 32bytes
* keep a pilot subid of 64 bytes to check the limit
*/
guint64 subid = 0;
D(6,("oid_string2subid: str='%s'",str)); D(6,("oid_string2subid: str='%s'",str));
@ -747,10 +752,15 @@ guint oid_string2subid(const char* str, guint32** subids_p) {
subids_overflow = subids + n; subids_overflow = subids + n;
do switch(*r) { do switch(*r) {
case '.': case '.':
subid = 0;
subids++; subids++;
continue; continue;
case '1' : case '2' : case '3' : case '4' : case '5' : case '1' : case '2' : case '3' : case '4' : case '5' :
case '6' : case '7' : case '8' : case '9' : case '0' : case '6' : case '7' : case '8' : case '9' : case '0' :
subid *= 10;
subid += *r - '0';
DISSECTOR_ASSERT(subid <= 0xffffffff);
DISSECTOR_ASSERT(subids < subids_overflow); DISSECTOR_ASSERT(subids < subids_overflow);
*(subids) *= 10; *(subids) *= 10;
*(subids) += *r - '0'; *(subids) += *r - '0';
@ -768,10 +778,14 @@ guint oid_string2subid(const char* str, guint32** subids_p) {
guint oid_encoded2subid(const guint8 *oid_bytes, gint oid_len, guint32** subids_p) { guint oid_encoded2subid(const guint8 *oid_bytes, gint oid_len, guint32** subids_p) {
gint i; gint i;
guint n = 1; guint n = 1;
guint32 subid = 0;
gboolean is_first = TRUE; gboolean is_first = TRUE;
guint32* subids; guint32* subids;
guint32* subid_overflow; guint32* subid_overflow;
/*
* we cannot handle sub-ids greater than 32bytes
* have the subid in 64 bytes to be able to check the limit
*/
guint64 subid = 0;
for (i=0; i<oid_len; i++) { if (! (oid_bytes[i] & 0x80 )) n++; } for (i=0; i<oid_len; i++) { if (! (oid_bytes[i] & 0x80 )) n++; }
@ -800,6 +814,7 @@ guint oid_encoded2subid(const guint8 *oid_bytes, gint oid_len, guint32** subids_
} }
DISSECTOR_ASSERT(subids < subid_overflow); DISSECTOR_ASSERT(subids < subid_overflow);
DISSECTOR_ASSERT(subid <= 0xffffffff);
*subids++ = subid; *subids++ = subid;
subid = 0; subid = 0;
} }