osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bacapp: make sure to NUL terminate bf_arr. 

bf_arr is used as %s argument to proto_tree_add_subtree_format(), so it need to be NUL terminated.
Add + 1 to bf_arr size, and use sizeof() in memset() calls.

ASAN report:

ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ff1b179f150 at pc 0x00000044cf31 bp 0x7ffdc7493cf0 sp 0x7ffdc74934a0
READ of size 258 at 0x7ff1b179f150 thread T0
SCARINESS: 41 (multi-byte-read-stack-buffer-overflow)
	#0 0x44cf30 in printf_common(void*, char const*, __va_list_tag*) /src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors_format.inc:548
	#1 0x498cfc in __vsnprintf_chk /src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:1558
	#2 0x5775cf in proto_tree_set_representation /src/wireshark/epan/proto.c:5508:9
	#3 0x577eb1 in proto_tree_add_text_valist_internal /src/wireshark/epan/proto.c:1226:2
	#4 0x5782d5 in proto_tree_add_subtree_format /src/wireshark/epan/proto.c:1249:7
	#5 0x73c73f in fBitStringTagVS /src/wireshark/epan/dissectors/packet-bacapp.c:7490:15
	#6 0x73ad20 in fApplicationTypesEnumeratedSplit /src/wireshark/epan/dissectors/packet-bacapp.c:7569:26
	#7 0x73a484 in fApplicationTypes /src/wireshark/epan/dissectors/packet-bacapp.c:7635:12
	#8 0x7395db in fIAmRequest /src/wireshark/epan/dissectors/packet-bacapp.c:13412:14
	#9 0x7383e1 in dissect_bacapp /src/wireshark/epan/dissectors/packet-bacapp.c:14163:9

Found by oss-fuzz/5452.

Change-Id: I57e948904f707c5003a389431b009a37c1212e04
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5452
Reviewed-on: https://code.wireshark.org/review/25544
Petri-Dish: Jakub Zawadzki <darkjames-ws@darkjames.pl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
This commit is contained in:
Jakub Zawadzki 2018-02-01 02:25:24 +01:00 committed by Jakub Zawadzki
parent 85fed81b63
commit 66af843eb5
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
epan/dissectors/packet-bacapp.c
View File

@ -7469,7 +7469,7 @@ fBitStringTagVS(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint offse
guint start = offset;
guint offs;
guint32 lvt, i, numberOfBytes;
guint8 bf_arr[256];
guint8 bf_arr[256 + 1];
proto_tree* subtree = tree;
offs = fTagHeader(tvb, pinfo, offset, &tag_no, &tag_info, &lvt);
@ -7477,7 +7477,7 @@ fBitStringTagVS(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint offse
offset += offs;
unused = tvb_get_guint8(tvb, offset); /* get the unused Bits */
memset(bf_arr, 0, 256);
memset(bf_arr, 0, sizeof(bf_arr));
skip = 0;
for (i = 0; i < numberOfBytes; i++) {
tmp = tvb_get_guint8(tvb, (offset)+i + 1);
@ -7493,7 +7493,7 @@ fBitStringTagVS(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint offse
fTagHeaderTree(tvb, pinfo, subtree, start, &tag_no, &tag_info, &lvt);
proto_tree_add_item(subtree, hf_bacapp_unused_bits, tvb, offset, 1, ENC_NA);
memset(bf_arr, 0, 256);
memset(bf_arr, 0, sizeof(bf_arr));
skip = 0;
for (i = 0; i < numberOfBytes; i++) {
tmp = tvb_get_guint8(tvb, (offset)+i+1);