osmocom
/
wireshark
14
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Use ep_strbufs instead of trying to track string offsets manually 

and overflowing a buffer. Fixes a crash in bug 7568 discovered by
Laurent Butti.

We do the Dance Of The String Offset Pointers in several other
places. They should probably be changed to ep_strbufs as well.

svn path=/trunk/; revision=44320
This commit is contained in:
Gerald Combs 2012-08-08 00:40:03 +00:00
parent 9f8b638cfa
commit cfb93ddbf5
1 changed files with 25 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
epan/dissectors/packet-rtps2.c
View File

@ -993,12 +993,11 @@ static void rtps_util_add_extra_flags(proto_tree *tree,
const char *label) {
if (tree) {
guint16 flags = NEXT_guint16(tvb, offset, FALSE); /* Always big endian */
guint8 temp_buffer[20];
emem_strbuf_t *temp_buffer = ep_strbuf_new_label(NULL);
int i;
for (i = 0; i < 16; ++i) {
temp_buffer[i] = ((flags & (1 << (15-i))) != 0) ? '1' : '0';
ep_strbuf_append_c(temp_buffer, ((flags & (1 << (15-i))) != 0) ? '1' : '0');
}
temp_buffer[16] = '\0';
proto_tree_add_text(tree,
tvb,
@ -1006,7 +1005,7 @@ static void rtps_util_add_extra_flags(proto_tree *tree,
2,
"%s: %s",
label,
temp_buffer);
temp_buffer->str);
}
}
@ -3064,7 +3063,8 @@ static int rtps_util_add_bitmap(proto_tree *tree,
guint64 seq_base;
gint32 num_bits;
guint32 data;
char temp_buff[MAX_BITMAP_SIZE];
emem_strbuf_t *temp_buff = ep_strbuf_new_label(NULL);
gchar *last_one;
int i, j, idx;
proto_item * ti;
proto_tree * bitmap_tree;
@ -3086,27 +3086,23 @@ static int rtps_util_add_bitmap(proto_tree *tree,
/* Reads the bits (and format the print buffer) */
idx = 0;
temp_buff[0] = '\0';
for (i = 0; i < num_bits; i += 32) {
data = NEXT_guint32(tvb, offset, little_endian);
offset += 4;
for (j = 0; j < 32; ++j) {
datamask = (1 << (31-j));
temp_buff[idx] = ((data & datamask) == datamask) ? '1':'0';
ep_strbuf_append_c(temp_buff, ((data & datamask) == datamask) ? '1':'0');
++idx;
if (idx >= num_bits) {
break;
}
if (idx >= MAX_BITMAP_SIZE-1) {
if (idx >= num_bits || temp_buff->len >= ITEM_LABEL_LENGTH - 1) {
break;
}
}
}
temp_buff[idx] = '\0';
/* removes all the ending '0' */
for (i = (int)strlen(temp_buff) - 1; (i>0 && temp_buff[i] == '0'); --i) {
temp_buff[i] = '\0';
last_one = strrchr(temp_buff->str, '1');
if (last_one) {
ep_strbuf_truncate(temp_buff, (gsize) (last_one - temp_buff->str));
}
if (tree) {
@ -3118,7 +3114,7 @@ static int rtps_util_add_bitmap(proto_tree *tree,
label,
seq_base,
num_bits,
temp_buff);
temp_buff->str);
bitmap_tree = proto_item_add_subtree(ti, ett_rtps_bitmap);
proto_tree_add_text(bitmap_tree,
tvb,
@ -3132,13 +3128,13 @@ static int rtps_util_add_bitmap(proto_tree *tree,
4,
"numBits: %u",
num_bits);
if (temp_buff[0] != '\0') {
if (temp_buff->len > 0) {
proto_tree_add_text(bitmap_tree,
tvb,
original_offset + 12,
offset - original_offset - 12,
"bitmap: %s",
temp_buff);
temp_buff->str);
}
}
return offset;
@ -3163,7 +3159,8 @@ static int rtps_util_add_fragment_number_set(proto_tree *tree,
guint64 base;
gint32 num_bits;
guint32 data;
char temp_buff[MAX_BITMAP_SIZE];
emem_strbuf_t *temp_buff = ep_strbuf_new_label(NULL);
gchar *last_one;
int i, j, idx;
proto_item * ti;
proto_tree * bitmap_tree;
@ -3209,28 +3206,25 @@ static int rtps_util_add_fragment_number_set(proto_tree *tree,
/* Reads the bits (and format the print buffer) */
idx = 0;
temp_buff[0] = '\0';
for (i = 0; i < num_bits; i += 32) {
data = NEXT_guint32(tvb, offset, little_endian);
offset += 4;
for (j = 0; j < 32; ++j) {
datamask = (1 << (31-j));
temp_buff[idx] = ((data & datamask) != 0) ? '1':'0';
ep_strbuf_append_c(temp_buff, ((data & datamask) == datamask) ? '1':'0');
++idx;
if (idx > num_bits) {
break;
}
if (idx >= MAX_BITMAP_SIZE-1) {
if (idx >= num_bits || temp_buff->len >= ITEM_LABEL_LENGTH - 1) {
break;
}
}
}
temp_buff[idx] = '\0';
/* removes all (but the last one) characters '0' */
for (i = (int)strlen(temp_buff) - 1; (i>0 && temp_buff[i] == '0'); --i) {
temp_buff[i] = '\0';
/* removes all the ending '0' */
last_one = strrchr(temp_buff->str, '1');
if (last_one) {
ep_strbuf_truncate(temp_buff, (gsize) (last_one - temp_buff->str));
}
if (tree) {
ti = proto_tree_add_text(tree,
tvb,
@ -3240,7 +3234,7 @@ static int rtps_util_add_fragment_number_set(proto_tree *tree,
label,
base,
num_bits,
temp_buff);
temp_buff->str);
bitmap_tree = proto_item_add_subtree(ti, ett_rtps_bitmap);
proto_tree_add_text(bitmap_tree,
tvb,
@ -3254,13 +3248,13 @@ static int rtps_util_add_fragment_number_set(proto_tree *tree,
4,
"numBits: %u",
num_bits);
if (temp_buff[0] != '\0') {
if (temp_buff->len > 0) {
proto_tree_add_text(bitmap_tree,
tvb,
original_offset + base_size + 4,
offset - original_offset - base_size - 4,
"bitmap: %s",
temp_buff);
temp_buff->str);
}
}
return offset;
@ -9576,4 +9570,3 @@ void proto_register_rtps2(void) {
void proto_reg_handoff_rtps2(void) {
heur_dissector_add("udp", dissect_rtps, proto_rtps);
}