Add missing checks for a too-large packet, so we don't blow up trying to

allocate a huge buffer. svn path=/trunk/; revision=40170
2011-12-13 02:42:42 +00:00 · 2011-12-13 02:42:42 +00:00 · c3da1f23d3
parent dd92029afa
commit c3da1f23d3
3 changed files with 35 additions and 1 deletions
--- a/wiretap/airopeek9.c
+++ b/wiretap/airopeek9.c
@ -500,10 +500,23 @@ static gboolean airopeekv9_read(wtap *wth, int *err, gchar **err_info,
 	return FALSE;
    wth->data_offset += hdrlen;

-    /* force sliceLength to be the actual length of the packet */
+    /*
+     * If sliceLength is 0, force it to be the actual length of the packet.
+     */
    if (hdr_info.sliceLength == 0)
 	hdr_info.sliceLength = hdr_info.length;

+    if (hdr_info.sliceLength > WTAP_MAX_PACKET_SIZE) {
+	/*
+	 * Probably a corrupt capture file; don't blow up trying
+	 * to allocate space for an immensely-large packet.
+	 */
+	*err = WTAP_ERR_BAD_RECORD;
+	*err_info = g_strdup_printf("airopeek9: File has %u-byte packet, bigger than maximum of %u",
+	    hdr_info.sliceLength, WTAP_MAX_PACKET_SIZE);
+	return FALSE;
+    }
+
    /* fill in packet header length values before slicelength may be
       adjusted */
    wth->phdr.len    = hdr_info.length;
--- a/wiretap/nettl.c
+++ b/wiretap/nettl.c
@ -318,6 +318,17 @@ static gboolean nettl_read(wtap *wth, int *err, gchar **err_info,
    }
    wth->data_offset += ret;

+    if (wth->phdr.caplen > WTAP_MAX_PACKET_SIZE) {
+	/*
+	 * Probably a corrupt capture file; don't blow up trying
+	 * to allocate space for an immensely-large packet.
+	 */
+	*err = WTAP_ERR_BAD_RECORD;
+	*err_info = g_strdup_printf("nettl: File has %u-byte packet, bigger than maximum of %u",
+	    wth->phdr.caplen, WTAP_MAX_PACKET_SIZE);
+	return FALSE;
+    }
+
    /*
     * If the per-file encapsulation isn't known, set it to this
     * packet's encapsulation.
--- a/wiretap/packetlogger.c
+++ b/wiretap/packetlogger.c
@ -106,6 +106,16 @@ packetlogger_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset)
 		*err_info = g_strdup_printf("packetlogger: record length %u is too small", pl_hdr.len);
 		return FALSE;
 	}
+	if (pl_hdr.len - 8 > WTAP_MAX_PACKET_SIZE) {
+		/*
+		 * Probably a corrupt capture file; don't blow up trying
+		 * to allocate space for an immensely-large packet.
+		 */
+		*err = WTAP_ERR_BAD_RECORD;
+		*err_info = g_strdup_printf("packetlogger: File has %u-byte packet, bigger than maximum of %u",
+		    pl_hdr.len - 8, WTAP_MAX_PACKET_SIZE);
+		return FALSE;
+	}
 	
 	buffer_assure_space(wth->frame_buffer, pl_hdr.len - 8);
 	bytes_read = file_read(buffer_start_ptr(wth->frame_buffer),