User: guy
Date: 2005/10/04 05:23 AM
Log:
Don't ensure all the bytes of a security descriptor exist before calling
"dissect_nt_sec_desc()". Add a Boolean argument to
"dissect_nt_sec_desc()" to indicate whether a length was passed to it
(so we don't treat -1 as a special value; we want to stop treating -1 as
a special length value, and, in fact, want to stop treating *any*
negative length values specially, so that we don't have to worry about
passing arbitrary 32-bit values from packets as lengths), and have
"dissect_nt_sec_desc()" initially create the protocol tree item for the
security descriptor with a length of "go to the end of the tvbuff", and
set the length once we're done dissecting it - and, if the length was
specified, check at *that* point, *after* we've dissected the security
descriptor, whether we have the entire security descriptor in the
tvbuff.
That means that we don't have to worry about overflows after
"dissect_nt_sec_desc()" returns - if the length was so large that we
would have gotten an overflow, we'd have thrown an exception in the
"tvb_ensure_bytes_exist()" call at the end of "dissect_nt_sec_desc()".
Do sanity checks on offsets within the security descriptor, so we know
the item referred to by the offset is after the fixed-length portion of
the descriptor.
Directory: /trunk/epan/dissectors/
Changes Path Action
+2 -2 packet-dcerpc-lsa.c Modified
+2 -3 packet-dcerpc-samr.c Modified
+4 -8 packet-dcerpc-spoolss.c Modified
+4 -4 packet-smb.c Modified
+90 -23 packet-windows-common.c Modified
+2 -1 packet-windows-common.h Modified
http://anonsvn.ethereal.com/viewcvs/viewcvs.py?rev=16113&view=rev