From 5fc9db83cf50f9fd27e64e3c249fef0f9459a05c Mon Sep 17 00:00:00 2001
From: Pascal Quantin <pascal.quantin@gmail.com>
Date: Sun, 2 Mar 2014 18:25:31 +0100
Subject: [PATCH] SSL: dynamically allocate session ticket storage area to
 avoid buffer overflow

Fixes bug 9825

Change-Id: I20ae65331ec11b2f6774054df4c026fd5fa76d3a
Reviewed-on: https://code.wireshark.org/review/447
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Pascal Quantin <pascal.quantin@gmail.com>
---
 epan/dissectors/packet-ssl-utils.c | 4 +++-
 epan/dissectors/packet-ssl-utils.h | 1 -
 epan/dissectors/packet-ssl.c       | 2 ++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index 558deb7a3d..6c14af9bea 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -3715,7 +3715,7 @@ ssl_session_init(SslDecryptSession* ssl_session)
     ssl_session->session_id.data = ssl_session->_session_id;
     ssl_session->client_random.data = ssl_session->_client_random;
     ssl_session->server_random.data = ssl_session->_server_random;
-    ssl_session->session_ticket.data = ssl_session->_session_ticket;
+    ssl_session->session_ticket.data = NULL;
     ssl_session->session_ticket.data_len = 0;
     ssl_session->master_secret.data_len = 48;
     ssl_session->server_data_for_iv.data_len = 0;
@@ -4855,6 +4855,8 @@ ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb
     if(is_client && ssl && ext_len != 0)
     {
         /*save the ticket on the ssl opaque so that we can use it as key on server hello */
+        ssl->session_ticket.data = (guchar*)wmem_realloc(wmem_file_scope(),
+                                    ssl->session_ticket.data, ext_len);
         tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
         ssl->session_ticket.data_len = ext_len;
     }
diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h
index b88b638102..c8dfca6cc8 100644
--- a/epan/dissectors/packet-ssl-utils.h
+++ b/epan/dissectors/packet-ssl-utils.h
@@ -334,7 +334,6 @@ typedef struct {
 typedef struct _SslDecryptSession {
     guchar _master_secret[48];
     guchar _session_id[256];
-    guchar _session_ticket[1024];
     guchar _client_random[32];
     guchar _server_random[32];
     StringInfo session_id;
diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c
index 5aabd55531..efbad01d41 100644
--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@@ -2533,6 +2533,8 @@ dissect_ssl3_hnd_new_ses_ticket(tvbuff_t *tvb, proto_tree *tree,
 
     /* save the session ticket to cache */
     if(ssl){
+        ssl->session_ticket.data = (guchar*)wmem_realloc(wmem_file_scope(),
+                                    ssl->session_ticket.data, session_ticket_length);
         tvb_memcpy(tvb,ssl->session_ticket.data, offset, session_ticket_length);
         ssl->session_ticket.data_len = session_ticket_length;
         ssl_save_session_ticket(ssl, ssl_session_hash);