A DNS or NBNS name may contain pointers to other names in the packet; if

the stuff referred to by those pointers goes past the end of the packet, that's not a reason not to return the length of the DNS or NBNS name itself - you can tag that name even though it's bad. Therefore, "get_dns_name()" should return the length of the part of the name it's looked at even if that name contains a pointer to stuff that goes past the end of the packet. This means you can't check its return value to see if it's negative, and treat it as an error if it is; remove that stuff. Add checks to make sure the type and class fields in an RR don't go past the end of the packet. svn path=/trunk/; revision=781
1999-10-07 09:21:38 +00:00 · 1999-10-07 09:21:38 +00:00 · c6e161e7df
parent db5f4239dc
commit c6e161e7df
2 changed files with 22 additions and 39 deletions
--- a/packet-dns.c
+++ b/packet-dns.c
@ -1,7 +1,7 @@
 /* packet-dns.c
 * Routines for DNS packet disassembly
 *
- * $Id: packet-dns.c,v 1.23 1999/10/07 07:44:28 guy Exp $
+ * $Id: packet-dns.c,v 1.24 1999/10/07 09:21:36 guy Exp $
 *
 * Ethereal - Network traffic analyzer
 * By Gerald Combs <gerald@zing.org>
@ -368,7 +368,11 @@ error:
 overflow:
  /* We ran past the end of the captured data in the packet. */
  strcpy(name, "<Name goes past end of captured data in packet>");
-  return -1;
+  /* If "len" is negative, we haven't seen a pointer, and thus haven't
+     set the length, so set it. */
+  if (len < 0)
+    len = dp - dptr;
+  return len;
 }


@ -384,15 +388,19 @@ get_dns_name_type_class(const u_char *pd, int offset, int dns_data_offset,
  int start_offset = offset;

  name_len = get_dns_name(pd, offset, dns_data_offset, name, sizeof(name));
-  if (name_len < 0) {
+  offset += name_len;
+  
+  if (!BYTES_ARE_IN_FRAME(offset, 2)) {
    /* We ran past the end of the captured data in the packet. */
    return -1;
  }
-  offset += name_len;
-  
  type = pntohs(&pd[offset]);
  offset += 2;

+  if (!BYTES_ARE_IN_FRAME(offset, 2)) {
+    /* We ran past the end of the captured data in the packet. */
+    return -1;
+  }
  class = pntohs(&pd[offset]);
  offset += 2;

--- a/packet-nbns.c
+++ b/packet-nbns.c
@ -4,7 +4,7 @@
 * Gilbert Ramirez <gram@verdict.uthscsa.edu>
 * Much stuff added by Guy Harris <guy@netapp.com>
 *
- * $Id: packet-nbns.c,v 1.29 1999/10/07 07:44:29 guy Exp $
+ * $Id: packet-nbns.c,v 1.30 1999/10/07 09:21:38 guy Exp $
 *
 * Ethereal - Network traffic analyzer
 * By Gerald Combs <gerald@zing.org>
@ -159,13 +159,6 @@ get_nbns_name(const u_char *pd, int offset, int nbns_data_offset,

 	name_len = get_dns_name(pd, offset, nbns_data_offset, name,
 	    sizeof(name));
-	if (name_len < 0) {
-		/* We ran past the end of the captured data in the packet. */
-		strcpy(name_ret, name);
-		if (name_type_ret != NULL)
-			*name_type_ret = -1;
-		return -1;
-	}

 	/* OK, now undo the first-level encoding. */
 	pname = &name[0];
@ -258,14 +251,19 @@ get_nbns_name_type_class(const u_char *pd, int offset, int nbns_data_offset,

 	name_len = get_nbns_name(pd, offset, nbns_data_offset, name_ret,
 	   name_type_ret);
-	if (name_len < 0) {
+	offset += name_len;
+	
+	if (!BYTES_ARE_IN_FRAME(offset, 2)) {
 		/* We ran past the end of the captured data in the packet. */
 		return -1;
 	}
-	offset += name_len;
-	
 	type = pntohs(&pd[offset]);
 	offset += 2;
+
+	if (!BYTES_ARE_IN_FRAME(offset, 2)) {
+		/* We ran past the end of the captured data in the packet. */
+		return -1;
+	}
 	class = pntohs(&pd[offset]);

 	*type_ret = type;
@ -1271,11 +1269,6 @@ dissect_nbdgm(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)

 		/* Source name */
 		len = get_nbns_name(pd, offset, offset, name, &name_type);
-		if (len < 0) {
-			/* We ran past the end of the captured data in the
-			   packet. */
-			return;
-		}

 		if (tree) {
 			add_name_and_type(nbdgm_tree, offset, len,
@ -1286,11 +1279,6 @@ dissect_nbdgm(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)

 		/* Destination name */
 		len = get_nbns_name(pd, offset, offset, name, &name_type);
-		if (len < 0) {
-			/* We ran past the end of the captured data in the
-			   packet. */
-			return;
-		}

 		if (tree) {
 			add_name_and_type(nbdgm_tree, offset, len,
@ -1312,11 +1300,6 @@ dissect_nbdgm(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
 			header.msg_type == 0x15 || header.msg_type == 0x16) {
 		/* Destination name */
 		len = get_nbns_name(pd, offset, offset, name, &name_type);
-		if (len < 0) {
-			/* We ran past the end of the captured data in the
-			   packet. */
-			return;
-		}

 		if (tree) {
 			add_name_and_type(nbdgm_tree, offset, len,
@ -1416,20 +1399,12 @@ dissect_nbss_packet(const u_char *pd, int offset, frame_data *fd, proto_tree *tr

 	case SESSION_REQUEST:
 	  len = get_nbns_name(pd, offset, offset, name, &name_type);
-	  if (len < 0) {
-	    /* We ran past the end of the captured data in the packet. */
-	    break;
-	  }
 	  if (tree)
 	    add_name_and_type(nbss_tree, offset, len,
 				"Called name", name, name_type);
 	  offset += len;

 	  len = get_nbns_name(pd, offset, offset, name, &name_type);
-	  if (len < 0) {
-	    /* We ran past the end of the captured data in the packet. */
-	    break;
-	  }
 	  
 	  if (tree)
 	    add_name_and_type(nbss_tree, offset, len,