osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

CANopen: Check array bounds for untrusted index (CID 1356262) 

Change-Id: If5ca51e5703fa4137ab9f388a99d613752d3b0d0
Reviewed-on: https://code.wireshark.org/review/15983
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: João Valverde <j@v6e.pt>
This commit is contained in:
João Valverde 2016-06-16 10:18:07 +01:00 committed by João Valverde
parent 99e2466bd7
commit ee6e89d900
1 changed files with 33 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
epan/dissectors/packet-canopen.c
View File

@ -143,7 +143,7 @@ static const int *sdo_cmd_fields_ccs6[] = {
NULL
};
static const int **sdo_cmd_fields_ccs[] = {
static const int **_sdo_cmd_fields_ccs[] = {
sdo_cmd_fields_ccs0,
sdo_cmd_fields_ccs1,
sdo_cmd_fields_ccs2,
@ -153,6 +153,14 @@ static const int **sdo_cmd_fields_ccs[] = {
sdo_cmd_fields_ccs6
};
static inline const int **
sdo_cmd_fields_ccs(guint cs)
{
if (cs < array_length(_sdo_cmd_fields_ccs))
return _sdo_cmd_fields_ccs[cs];
return NULL;
}
/* (scs=0) decode mask */
static const int *sdo_cmd_fields_scs0[] = {
@ -200,7 +208,7 @@ static const int *sdo_cmd_fields_scs6[] = {
};
static const int **sdo_cmd_fields_scs[] = {
static const int **_sdo_cmd_fields_scs[] = {
sdo_cmd_fields_scs0,
sdo_cmd_fields_scs1,
sdo_cmd_fields_scs2,
@ -210,6 +218,14 @@ static const int **sdo_cmd_fields_scs[] = {
sdo_cmd_fields_scs6
};
static inline const int **
sdo_cmd_fields_scs(guint cs)
{
if (cs < array_length(_sdo_cmd_fields_scs))
return _sdo_cmd_fields_scs[cs];
return NULL;
}
/* Initialize the subtree pointers */
static gint ett_canopen = -1;
static gint ett_canopen_cob = -1;
@ -605,6 +621,7 @@ dissect_sdo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *canopen_type_tree, gu
int offset = 0;
guint8 sdo_mux = 0, sdo_data = 0;
guint8 sdo_cs = 0;
const gint **sdo_cmd_fields;
/* get SDO command specifier */
sdo_cs = tvb_get_bits8(tvb, 0, 3);
@ -614,8 +631,14 @@ dissect_sdo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *canopen_type_tree, gu
": %s", val_to_str(sdo_cs, sdo_ccs,
"Unknown (0x%x)"));
sdo_cmd_fields = sdo_cmd_fields_ccs(sdo_cs);
if (sdo_cmd_fields == NULL) {
proto_tree_add_item(canopen_type_tree, hf_canopen_sdo_cmd, tvb, 0, 1, ENC_LITTLE_ENDIAN);
/* XXX Add expert info */
return;
}
proto_tree_add_bitmask(canopen_type_tree, tvb, offset,
hf_canopen_sdo_cmd, ett_canopen_sdo_cmd, sdo_cmd_fields_ccs[sdo_cs], ENC_LITTLE_ENDIAN);
hf_canopen_sdo_cmd, ett_canopen_sdo_cmd, sdo_cmd_fields, ENC_LITTLE_ENDIAN);
offset++;
switch (sdo_cs) {
@ -649,8 +672,14 @@ dissect_sdo(tvbuff_t *tvb, packet_info *pinfo, proto_tree *canopen_type_tree, gu
": %s", val_to_str(sdo_cs, sdo_scs,
"Unknown (0x%x)"));
sdo_cmd_fields = sdo_cmd_fields_scs(sdo_cs);
if (sdo_cmd_fields == NULL) {
proto_tree_add_item(canopen_type_tree, hf_canopen_sdo_cmd, tvb, 0, 1, ENC_LITTLE_ENDIAN);
/* XXX Add expert info */
return;
}
proto_tree_add_bitmask(canopen_type_tree, tvb, offset,
hf_canopen_sdo_cmd, ett_canopen_sdo_cmd, sdo_cmd_fields_scs[sdo_cs], ENC_LITTLE_ENDIAN);
hf_canopen_sdo_cmd, ett_canopen_sdo_cmd, sdo_cmd_fields, ENC_LITTLE_ENDIAN);
offset++;
switch (sdo_cs) {