osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

ieee1905: don't assume the address size in reassembly. 

The oss-fuzzer was able to generate a testcase that had addresses
whose size was not 6. The buggy code assumed that size, causing
a failing read. The fix is to use addresses from the structures,
allocating dynamic wmem memory instead of local buffer.

Fix: #17121.
This commit is contained in:
Dario Lombardo 2020-12-30 18:16:27 +01:00 committed by Wireshark GitLab Utility
parent 022b230dcf
commit ca46d11c08
1 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
epan/dissectors/packet-ieee1905.c
View File

@ -8315,18 +8315,22 @@ static guint
ieee1905_fragment_hash(gconstpointer k)
{
guint hash_val;
guint8 hash_buf[17];
const ieee1905_fragment_key *key = (const ieee1905_fragment_key *)k;
if (!key || !key->src.data || !key->dst.data) {
return 0;
}
memcpy(hash_buf, key->src.data, 6);
memcpy(&hash_buf[6], key->dst.data, 6);
hash_buf[12] = key->frag_id;
memcpy(&hash_buf[13], &key->vlan_id, 4);
hash_val = wmem_strong_hash((const guint8 *)hash_buf, 17);
const guint8 src_len = key->src.len;
const guint8 dst_len = key->dst.len;
const guint8 hash_buf_len = src_len + dst_len + sizeof(guint8) + sizeof(guint32);
guint8* hash_buf = (guint8*)wmem_alloc(wmem_packet_scope(), hash_buf_len);
memcpy(hash_buf, key->src.data, src_len);
memcpy(&hash_buf[src_len], key->dst.data, dst_len);
hash_buf[src_len + dst_len] = key->frag_id;
memcpy(&hash_buf[src_len + dst_len + sizeof(guint8)], &key->vlan_id, sizeof(guint32));
hash_val = wmem_strong_hash((const guint8 *)hash_buf, hash_buf_len);
return hash_val;
}