forked from osmocom/wireshark
ieee1905: don't assume the address size in reassembly.
The oss-fuzzer was able to generate a testcase that had addresses whose size was not 6. The buggy code assumed that size, causing a failing read. The fix is to use addresses from the structures, allocating dynamic wmem memory instead of local buffer. Fix: #17121.
This commit is contained in:
parent
022b230dcf
commit
ca46d11c08
|
@ -8315,18 +8315,22 @@ static guint
|
|||
ieee1905_fragment_hash(gconstpointer k)
|
||||
{
|
||||
guint hash_val;
|
||||
guint8 hash_buf[17];
|
||||
const ieee1905_fragment_key *key = (const ieee1905_fragment_key *)k;
|
||||
|
||||
if (!key || !key->src.data || !key->dst.data) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
memcpy(hash_buf, key->src.data, 6);
|
||||
memcpy(&hash_buf[6], key->dst.data, 6);
|
||||
hash_buf[12] = key->frag_id;
|
||||
memcpy(&hash_buf[13], &key->vlan_id, 4);
|
||||
hash_val = wmem_strong_hash((const guint8 *)hash_buf, 17);
|
||||
const guint8 src_len = key->src.len;
|
||||
const guint8 dst_len = key->dst.len;
|
||||
const guint8 hash_buf_len = src_len + dst_len + sizeof(guint8) + sizeof(guint32);
|
||||
guint8* hash_buf = (guint8*)wmem_alloc(wmem_packet_scope(), hash_buf_len);
|
||||
|
||||
memcpy(hash_buf, key->src.data, src_len);
|
||||
memcpy(&hash_buf[src_len], key->dst.data, dst_len);
|
||||
hash_buf[src_len + dst_len] = key->frag_id;
|
||||
memcpy(&hash_buf[src_len + dst_len + sizeof(guint8)], &key->vlan_id, sizeof(guint32));
|
||||
hash_val = wmem_strong_hash((const guint8 *)hash_buf, hash_buf_len);
|
||||
return hash_val;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue