SSL: dynamically allocate session ticket storage area to avoid buffer overflow

Fixes bug 9825

Change-Id: I20ae65331ec11b2f6774054df4c026fd5fa76d3a
Reviewed-on: https://code.wireshark.org/review/447
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Pascal Quantin <pascal.quantin@gmail.com>

epan/dissectors/packet-ssl-utils.c

@@ -3715,7 +3715,7 @@ ssl_session_init(SslDecryptSession* ssl_session)
     ssl_session->session_id.data = ssl_session->_session_id;
     ssl_session->client_random.data = ssl_session->_client_random;
     ssl_session->server_random.data = ssl_session->_server_random;
-    ssl_session->session_ticket.data = ssl_session->_session_ticket;
+    ssl_session->session_ticket.data = NULL;
     ssl_session->session_ticket.data_len = 0;
     ssl_session->master_secret.data_len = 48;
     ssl_session->server_data_for_iv.data_len = 0;
@@ -4855,6 +4855,8 @@ ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb
     if(is_client && ssl && ext_len != 0)
     {
         /*save the ticket on the ssl opaque so that we can use it as key on server hello */
+        ssl->session_ticket.data = (guchar*)wmem_realloc(wmem_file_scope(),
+                                    ssl->session_ticket.data, ext_len);
         tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
         ssl->session_ticket.data_len = ext_len;
     }

epan/dissectors/packet-ssl-utils.h

@@ -334,7 +334,6 @@ typedef struct {
 typedef struct _SslDecryptSession {
     guchar _master_secret[48];
     guchar _session_id[256];
-    guchar _session_ticket[1024];
     guchar _client_random[32];
     guchar _server_random[32];
     StringInfo session_id;

epan/dissectors/packet-ssl.c

@@ -2533,6 +2533,8 @@ dissect_ssl3_hnd_new_ses_ticket(tvbuff_t *tvb, proto_tree *tree,
 
     /* save the session ticket to cache */
     if(ssl){
+        ssl->session_ticket.data = (guchar*)wmem_realloc(wmem_file_scope(),
+                                    ssl->session_ticket.data, session_ticket_length);
         tvb_memcpy(tvb,ssl->session_ticket.data, offset, session_ticket_length);
         ssl->session_ticket.data_len = session_ticket_length;
         ssl_save_session_ticket(ssl, ssl_session_hash);