From ca46d11c08a4792354a88956ad100282961bc586 Mon Sep 17 00:00:00 2001 From: Dario Lombardo Date: Wed, 30 Dec 2020 18:16:27 +0100 Subject: [PATCH] ieee1905: don't assume the address size in reassembly. The oss-fuzzer was able to generate a testcase that had addresses whose size was not 6. The buggy code assumed that size, causing a failing read. The fix is to use addresses from the structures, allocating dynamic wmem memory instead of local buffer. Fix: #17121. --- epan/dissectors/packet-ieee1905.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/epan/dissectors/packet-ieee1905.c b/epan/dissectors/packet-ieee1905.c index 079f4609ba..5834e5dd21 100644 --- a/epan/dissectors/packet-ieee1905.c +++ b/epan/dissectors/packet-ieee1905.c @@ -8315,18 +8315,22 @@ static guint ieee1905_fragment_hash(gconstpointer k) { guint hash_val; - guint8 hash_buf[17]; const ieee1905_fragment_key *key = (const ieee1905_fragment_key *)k; if (!key || !key->src.data || !key->dst.data) { return 0; } - memcpy(hash_buf, key->src.data, 6); - memcpy(&hash_buf[6], key->dst.data, 6); - hash_buf[12] = key->frag_id; - memcpy(&hash_buf[13], &key->vlan_id, 4); - hash_val = wmem_strong_hash((const guint8 *)hash_buf, 17); + const guint8 src_len = key->src.len; + const guint8 dst_len = key->dst.len; + const guint8 hash_buf_len = src_len + dst_len + sizeof(guint8) + sizeof(guint32); + guint8* hash_buf = (guint8*)wmem_alloc(wmem_packet_scope(), hash_buf_len); + + memcpy(hash_buf, key->src.data, src_len); + memcpy(&hash_buf[src_len], key->dst.data, dst_len); + hash_buf[src_len + dst_len] = key->frag_id; + memcpy(&hash_buf[src_len + dst_len + sizeof(guint8)], &key->vlan_id, sizeof(guint32)); + hash_val = wmem_strong_hash((const guint8 *)hash_buf, hash_buf_len); return hash_val; }