From 4107d5dd6e88ada823feb04c9c482d84dcd82cd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dr=2E=20Lars=20V=C3=B6lker?=
 <lars.voelker@technica-engineering.de>
Date: Fri, 14 Jan 2022 21:52:33 +0100
Subject: [PATCH] BLF: improved checks to avoid hangs

Improvements to fix a few hang scenarios found by fuzzing.
---
 wiretap/blf.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/wiretap/blf.c b/wiretap/blf.c
index 91196e5b6d..e9da146296 100644
--- a/wiretap/blf.c
+++ b/wiretap/blf.c
@@ -736,6 +736,11 @@ blf_scan_file_for_logcontainers(blf_params_t *params) {
 
         switch (header.object_type) {
         case BLF_OBJTYPE_LOG_CONTAINER:
+            if (header.header_length < sizeof(blf_blockheader_t)) {
+                ws_debug("log container header length too short");
+                return FALSE;
+            }
+
             /* skip unknown header part if needed */
             if (header.header_length - sizeof(blf_blockheader_t) > 0) {
                 /* seek over unknown header part */
@@ -765,7 +770,7 @@ blf_scan_file_for_logcontainers(blf_params_t *params) {
             /* set up next start position */
             current_real_start += logcontainer_header.uncompressed_size;
 
-            if (file_seek(params->fh, current_start_pos + header.object_length, SEEK_SET, &err) < 0) {
+            if (file_seek(params->fh, current_start_pos + MAX(MAX(16, header.object_length), header.header_length), SEEK_SET, &err) < 0) {
                 ws_debug("cannot seek file for skipping log container bytes");
                 return FALSE;
             }
@@ -777,7 +782,7 @@ blf_scan_file_for_logcontainers(blf_params_t *params) {
             ws_debug("we found a non BLF log container on top level. this is unexpected.");
 
             /* TODO: maybe create "fake Log Container" for this */
-            if (file_seek(params->fh, current_start_pos + header.object_length, SEEK_SET, &err) < 0) {
+            if (file_seek(params->fh, current_start_pos + MAX(MAX(16, header.object_length), header.header_length), SEEK_SET, &err) < 0) {
                 return FALSE;
             }
         }
@@ -1735,7 +1740,7 @@ blf_read_block(blf_params_t *params, gint64 start_pos, int *err, gchar **err_inf
         }
 
         /* already making sure that we start after this object next time. */
-        params->blf_data->current_real_seek_pos = start_pos + header.object_length;
+        params->blf_data->current_real_seek_pos = start_pos + MAX(MAX(16, header.object_length), header.header_length);
 
         switch (header.object_type) {
         case BLF_OBJTYPE_LOG_CONTAINER:
@@ -1813,12 +1818,12 @@ blf_read_block(blf_params_t *params, gint64 start_pos, int *err, gchar **err_inf
             }
 
             /* we do not return since there is no packet to show here */
-            start_pos += header.object_length;
+            start_pos += MAX(MAX(16, header.object_length), header.header_length);
             break;
 
         default:
             ws_debug("unknown object type 0x%04x", header.object_type);
-            start_pos += header.object_length;
+            start_pos += MAX(MAX(16, header.object_length), header.header_length);
         }
     }
     return TRUE;