osmocom
/
wireshark
14
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Limit the number of operations to 128 (arbitrary number) to keep us from attempting to mallocate way too much memory. This fixes the fuzz failure reported in bug 4976. 

svn path=/trunk/; revision=33456
This commit is contained in:
Jeff Morriss 2010-07-06 14:57:54 +00:00
parent c5ddd5a253
commit 4522f9b0a4
1 changed files with 112 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
epan/dissectors/packet-nfs.c
View File

@ -41,6 +41,7 @@
#include <epan/emem.h>
#include <epan/strutil.h>
#include <epan/crc32.h>
#include <epan/expert.h>
#include <epan/crc16.h>
#include <glib.h>
@ -8922,7 +8923,7 @@ dissect_nfs_layout(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tr
static int
dissect_nfs_argop4(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree)
proto_tree *tree)
{
guint32 ops, ops_counter, summary_counter;
guint opcode;
@ -8948,12 +8949,22 @@ dissect_nfs_argop4(tvbuff_t *tvb, int offset, packet_info *pinfo,
ops = tvb_get_ntohl(tvb, offset+0);
op_summary=g_malloc(sizeof(nfsv4_operation_summary) * ops);
fitem = proto_tree_add_uint_format(tree, hf_nfs_ops_count4, tvb, offset+0, 4, ops,
"Operations (count: %u)", ops);
offset += 4;
#define MAX_NFSV4_OPS 128
if (ops > MAX_NFSV4_OPS) {
/* Limit the number of operations to something "reasonable."
* This is an arbitrary number to keep us from attempting to
* allocate too much memory below.
*/
expert_add_info_format(pinfo, fitem, PI_MALFORMED, PI_NOTE, "Too many operations");
ops = MAX_NFSV4_OPS;
}
op_summary = g_malloc(sizeof(nfsv4_operation_summary) * ops);
if (fitem) {
ftree = proto_item_add_subtree(fitem, ett_nfs_argop4);
}
@ -9559,7 +9570,7 @@ dissect_nfs_secinfo4_res(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
static int
dissect_nfs_resop4(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree)
proto_tree *tree)
{
guint32 ops, ops_counter, summary_counter;
guint32 opcode;
@ -9579,12 +9590,17 @@ dissect_nfs_resop4(tvbuff_t *tvb, int offset, packet_info *pinfo,
ops = tvb_get_ntohl(tvb, offset+0);
op_summary=g_malloc(sizeof(nfsv4_operation_summary) * ops);
fitem = proto_tree_add_uint_format(tree, hf_nfs_ops_count4, tvb, offset+0, 4, ops,
"Operations (count: %u)", ops);
offset += 4;
if (ops > MAX_NFSV4_OPS) {
expert_add_info_format(pinfo, fitem, PI_MALFORMED, PI_NOTE, "Too many operations");
ops = MAX_NFSV4_OPS;
}
op_summary = g_malloc(sizeof(nfsv4_operation_summary) * ops);
if (fitem) {
ftree = proto_item_add_subtree(fitem, ett_nfs_resop4);
}