ber: clamp BER lengths to avoid integer overflow

Many callers treat the length as signed integer, so ensure that the length fits in such a number. Failure to do so can have unintended consequences (such as calling "tvb_memdup(tvb, 0, -1)" and assuming that the length is actually 2^32-1). Although an exception could be thrown as well, let's give the caller a chance to handle this themselves. Change-Id: If92545f7d3603250f75741040435000ba879b7e3 Ping-Bug: 14682 Reviewed-on: https://code.wireshark.org/review/27563 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-05-15 16:34:35 +02:00 · 2018-05-15 16:34:35 +02:00 · 67c6420473
parent df5a8b29bb
commit 67c6420473
1 changed files with 5 additions and 0 deletions
--- a/epan/dissectors/packet-ber.c
+++ b/epan/dissectors/packet-ber.c
@ -1346,6 +1346,11 @@ try_get_ber_length(tvbuff_t *tvb, int offset, guint32 *length, gboolean *ind, gi
        }
    }

+    /* Several users treat the length as signed value, clamp the value to avoid
+     * an overflow to negative values. */
+    if (tmp_length > (guint32)G_MAXINT32)
+        tmp_length = (guint32)G_MAXINT32;
+
    if (length)
        *length = tmp_length;
    if (ind)