osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

ber: fix buffer overrun (read) in dissect_ber_constrained_bitstring 

The length is an unsigned integer, but some users (such as tvb_memdup)
expect signed integers and treat negative values specially.

Bug: 14682
Change-Id: Ic3330d23d964b5cc44718b61c8985880f901674d
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8011
Reviewed-on: https://code.wireshark.org/review/27562
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
Peter Wu 2018-05-15 16:31:40 +02:00 committed by Anders Broman
parent 9ee790e99c
commit df5a8b29bb
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
epan/dissectors/packet-ber.c
View File

@ -3905,11 +3905,11 @@ dissect_ber_constrained_bitstring(gboolean implicit_tag, asn1_ctx_t *actx, proto
len = tvb_reported_length_remaining(tvb, offset);
end_offset = offset+len;
}
if (len == 0) {
if ((int)len <= 0) {
proto_tree_add_expert_format(
parent_tree, actx->pinfo, &ei_ber_constr_bitstr, tvb, offset, len,
"dissect_ber_constrained_bitstring(): frame:%u offset:%d Was passed an illegal length of 0",
actx->pinfo->num, offset);
"dissect_ber_constrained_bitstring(): frame:%u offset:%d Was passed an illegal length of %d",
actx->pinfo->num, offset, len);
return offset;
}
actx->created_item = NULL;