Fix a buffer overflow in the PPP dissector. Try to fix uninitialized

variable warnings turned up by Valgrind. svn path=/trunk/; revision=23475
2007-11-16 23:56:18 +00:00 · 2007-11-16 23:56:18 +00:00 · c2d537141a
parent 24d6a39eb0
commit c2d537141a
4 changed files with 293 additions and 274 deletions
--- a/docbook/release-notes.xml
+++ b/docbook/release-notes.xml
@ -154,6 +154,18 @@ Wireshark Info
          </para>
        </listitem>

+        <listitem>
+          <para>
+            The PPP dissector could overflow a buffer.
+            <!-- Fixed in r23475 -->
+            <!-- (Bug <ulink url="http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1926">1926</ulink>) -->
+          </para>
+          <para>Versions affected: 0.99.6</para>
+          <para>
+            <!-- <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-????">CVE-2007-????</ulink> -->
+          </para>
+        </listitem>
+
        <!-- rtsp? -->
      </itemizedlist>

--- a/epan/dissectors/packet-3g-a11.c
+++ b/epan/dissectors/packet-3g-a11.c
@ -510,6 +510,9 @@ decode_sse(proto_tree* ext_tree, tvbuff_t* tvb, int offset, size_t ext_len)
    if(msid_len > A11_MSG_MSID_ELEM_LEN_MAX)
    {
        p_msid = "MSID is too long";
+    }else if(msid_len < 1)
+    {
+        p_msid = "MSID is too short";
    }else
    {
       /* Decode the BCD digits */
--- a/epan/dissectors/packet-ppp.c
+++ b/epan/dissectors/packet-ppp.c
@ -3182,7 +3182,7 @@ dissect_iphc_crtp_fh(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
    }

    /* information field */
-    tvb_ensure_bytes_exist (tvb, 0, length);
+    tvb_ensure_bytes_exist (tvb, 0, hdr_len);
    ti = proto_tree_add_text(fh_tree, tvb, 0,length,"Information Field");
    info_tree = proto_item_add_subtree(ti,ett_iphc_crtp_info);

--- a/epan/dissectors/packet-rsvp.c
+++ b/epan/dissectors/packet-rsvp.c
@ -5308,6 +5308,7 @@ dissect_rsvp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
    msg_length = tvb_get_ntohs(tvb, 6);

    rsvph = ep_alloc(sizeof(rsvp_conversation_info));
+    rsvph->session_type = 0;

    /* Copy over the source and destination addresses from the pinfo strucutre */
    SET_ADDRESS(&rsvph->source, pinfo->src.type, pinfo->src.len, pinfo->src.data);
@ -5406,6 +5407,9 @@ dissect_rsvp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 	break;
    default:
 	/* This should never happen. */
+        if (tree) {
+            proto_tree_add_text(tree, tvb, 0, 0, "Unknown session type");
+        }
 	break;
    }