osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

Initialize to zero all subids in oid_string2subid() to avoid creating bogus oids. This is aspirin for a buffer overflow somewhere in the code that reads cretificates, that dimensions a buffer probably assumung oid subids are few digits while they can actually be bigger. 

Place two DISSECTOR_ASSERT() guards to avoid an (I believe impossible) buffer overflow of the ep_allocated subid array in  oid_string2subid() and oid_encoded2subid().


svn path=/trunk/; revision=22656
This commit is contained in:
Luis Ontanon 2007-08-25 14:15:56 +00:00
parent 1f58f3e2ec
commit 7c174c63f8
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
epan/oids.c
View File

@ -90,7 +90,7 @@ static oid_info_t* add_oid(const char* name, oid_kind_t kind, const oid_value_ty
if(n) {
if (i == oid_len) {
if (n->name) {
D(0,("RENAMING %s -> %s",n->name,name));
D(2,("Renaming Oid from: %s -> %s, this menas the same oid is registered more than once",n->name,name));
g_free(n->name);
}
@ -679,6 +679,7 @@ guint check_num_oid(const char* str) {
guint oid_string2subid(const char* str, guint32** subids_p) {
const char* r = str;
guint32* subids;
guint32* subids_overflow;
guint n = check_num_oid(str);
D(6,("oid_string2subid: str='%s'",str));
@ -690,8 +691,8 @@ guint oid_string2subid(const char* str, guint32** subids_p) {
D(7,("\toid_string2subid: n=%d",n));
*subids_p = subids = ep_alloc_array(guint32,n);
*subids_p = subids = ep_alloc0(sizeof(guint32)*n);
subids_overflow = subids + n;
do switch(*r) {
case '.':
D(7,("\toid_string2subid: subid: %p %u",subids,*subids));
@ -699,6 +700,7 @@ guint oid_string2subid(const char* str, guint32** subids_p) {
continue;
case '1' : case '2' : case '3' : case '4' : case '5' :
case '6' : case '7' : case '8' : case '9' : case '0' :
DISSECTOR_ASSERT(subids < subids_overflow);
*(subids) *= 10;
*(subids) += *r - '0';
continue;
@ -719,10 +721,12 @@ guint oid_encoded2subid(const guint8 *oid_bytes, gint oid_len, guint32** subids_
guint32 subid = 0;
gboolean is_first = TRUE;
guint32* subids;
guint32* subid_overflow;
for (i=0; i<oid_len; i++) { if (! (oid_bytes[i] & 0x80 )) n++; }
*subids_p = subids = ep_alloc(sizeof(guint32)*n);
subid_overflow = subids+n;
for (i=0; i<oid_len; i++){
guint8 byte = oid_bytes[i];
@ -745,6 +749,7 @@ guint oid_encoded2subid(const guint8 *oid_bytes, gint oid_len, guint32** subids_
is_first = FALSE;
}
DISSECTOR_ASSERT(subids < subid_overflow);
*subids++ = subid;
subid = 0;
}