From 7c174c63f827576c33ca258b267987d5ad950248 Mon Sep 17 00:00:00 2001
From: Luis Ontanon <luis.ontanon@gmail.com>
Date: Sat, 25 Aug 2007 14:15:56 +0000
Subject: [PATCH] Initialize to zero all subids in oid_string2subid() to avoid
 creating bogus oids. This is aspirin for a buffer overflow somewhere in the
 code that reads cretificates, that dimensions a buffer probably assumung oid
 subids are few digits while they can actually be bigger. Place two
 DISSECTOR_ASSERT() guards to avoid an (I believe impossible) buffer overflow
 of the ep_allocated subid array in  oid_string2subid() and
 oid_encoded2subid().

svn path=/trunk/; revision=22656
---
 epan/oids.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/epan/oids.c b/epan/oids.c
index 01c473b646..cbd655de53 100644
--- a/epan/oids.c
+++ b/epan/oids.c
@@ -90,7 +90,7 @@ static oid_info_t* add_oid(const char* name, oid_kind_t kind, const oid_value_ty
 		if(n) {
 			if (i == oid_len) {
 				if (n->name) {
-					D(0,("RENAMING %s -> %s",n->name,name));
+					D(2,("Renaming Oid from: %s -> %s, this menas the same oid is registered more than once",n->name,name));
 					g_free(n->name);
 				}
 				
@@ -679,6 +679,7 @@ guint check_num_oid(const char* str) {
 guint oid_string2subid(const char* str, guint32** subids_p) {
 	const char* r = str;
 	guint32* subids;
+	guint32* subids_overflow;
 	guint n = check_num_oid(str);
 	
 	D(6,("oid_string2subid: str='%s'",str));
@@ -690,8 +691,8 @@ guint oid_string2subid(const char* str, guint32** subids_p) {
 
 	D(7,("\toid_string2subid: n=%d",n));
 
-	*subids_p = subids = ep_alloc_array(guint32,n);
-	
+	*subids_p = subids = ep_alloc0(sizeof(guint32)*n);
+	subids_overflow = subids + n;
 	do switch(*r) {
 		case '.':
 			D(7,("\toid_string2subid: subid: %p %u",subids,*subids));
@@ -699,6 +700,7 @@ guint oid_string2subid(const char* str, guint32** subids_p) {
 			continue;
 		case '1' : case '2' : case '3' : case '4' : case '5' : 
 		case '6' : case '7' : case '8' : case '9' : case '0' :
+			DISSECTOR_ASSERT(subids < subids_overflow);
 			*(subids) *= 10;
 			*(subids) += *r - '0';
 			continue;
@@ -719,10 +721,12 @@ guint oid_encoded2subid(const guint8 *oid_bytes, gint oid_len, guint32** subids_
 	guint32 subid = 0;
 	gboolean is_first = TRUE;
 	guint32* subids;
-	
+	guint32* subid_overflow;
+		
 	for (i=0; i<oid_len; i++) { if (! (oid_bytes[i] & 0x80 )) n++; }
 	
 	*subids_p = subids = ep_alloc(sizeof(guint32)*n);
+	subid_overflow = subids+n;
 	
 	for (i=0; i<oid_len; i++){
 		guint8 byte = oid_bytes[i];
@@ -745,6 +749,7 @@ guint oid_encoded2subid(const guint8 *oid_bytes, gint oid_len, guint32** subids_
 			is_first = FALSE;
 		}
 		
+		DISSECTOR_ASSERT(subids < subid_overflow);
 		*subids++ = subid;
 		subid = 0;
 	}