Limit the number of operations to 128 (arbitrary number) to keep us from attempting to mallocate way too much memory. This fixes the fuzz failure reported in bug 4976.
svn path=/trunk/; revision=33456
This commit is contained in:
parent
c5ddd5a253
commit
4522f9b0a4
|
@ -41,6 +41,7 @@
|
|||
#include <epan/emem.h>
|
||||
#include <epan/strutil.h>
|
||||
#include <epan/crc32.h>
|
||||
#include <epan/expert.h>
|
||||
|
||||
#include <epan/crc16.h>
|
||||
#include <glib.h>
|
||||
|
@ -8922,7 +8923,7 @@ dissect_nfs_layout(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tr
|
|||
|
||||
static int
|
||||
dissect_nfs_argop4(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
||||
proto_tree *tree)
|
||||
proto_tree *tree)
|
||||
{
|
||||
guint32 ops, ops_counter, summary_counter;
|
||||
guint opcode;
|
||||
|
@ -8948,12 +8949,22 @@ dissect_nfs_argop4(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
|||
|
||||
ops = tvb_get_ntohl(tvb, offset+0);
|
||||
|
||||
op_summary=g_malloc(sizeof(nfsv4_operation_summary) * ops);
|
||||
|
||||
fitem = proto_tree_add_uint_format(tree, hf_nfs_ops_count4, tvb, offset+0, 4, ops,
|
||||
"Operations (count: %u)", ops);
|
||||
offset += 4;
|
||||
|
||||
#define MAX_NFSV4_OPS 128
|
||||
if (ops > MAX_NFSV4_OPS) {
|
||||
/* Limit the number of operations to something "reasonable."
|
||||
* This is an arbitrary number to keep us from attempting to
|
||||
* allocate too much memory below.
|
||||
*/
|
||||
expert_add_info_format(pinfo, fitem, PI_MALFORMED, PI_NOTE, "Too many operations");
|
||||
ops = MAX_NFSV4_OPS;
|
||||
}
|
||||
|
||||
op_summary = g_malloc(sizeof(nfsv4_operation_summary) * ops);
|
||||
|
||||
if (fitem) {
|
||||
ftree = proto_item_add_subtree(fitem, ett_nfs_argop4);
|
||||
}
|
||||
|
@ -9559,7 +9570,7 @@ dissect_nfs_secinfo4_res(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
|
|||
|
||||
static int
|
||||
dissect_nfs_resop4(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
||||
proto_tree *tree)
|
||||
proto_tree *tree)
|
||||
{
|
||||
guint32 ops, ops_counter, summary_counter;
|
||||
guint32 opcode;
|
||||
|
@ -9579,12 +9590,17 @@ dissect_nfs_resop4(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
|||
|
||||
ops = tvb_get_ntohl(tvb, offset+0);
|
||||
|
||||
op_summary=g_malloc(sizeof(nfsv4_operation_summary) * ops);
|
||||
|
||||
fitem = proto_tree_add_uint_format(tree, hf_nfs_ops_count4, tvb, offset+0, 4, ops,
|
||||
"Operations (count: %u)", ops);
|
||||
offset += 4;
|
||||
|
||||
if (ops > MAX_NFSV4_OPS) {
|
||||
expert_add_info_format(pinfo, fitem, PI_MALFORMED, PI_NOTE, "Too many operations");
|
||||
ops = MAX_NFSV4_OPS;
|
||||
}
|
||||
|
||||
op_summary = g_malloc(sizeof(nfsv4_operation_summary) * ops);
|
||||
|
||||
if (fitem) {
|
||||
ftree = proto_item_add_subtree(fitem, ett_nfs_resop4);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue