Wireshark-bugs: [Wireshark-bugs] [Bug 6510] New: Harden buffer_assure_space to avoid integer ove

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 27 Oct 2011 21:45:27 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6510

           Summary: Harden buffer_assure_space to avoid integer overflow
                    and possible later buffer overflows
           Product: Wireshark
           Version: SVN
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: huzaifas@xxxxxxxxxx


Created an attachment (id=7325)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7325)
buffer_assure_space() overflow patch

Build Information:
Affects all the builds.
--
buffer_assure_space() in wiretap/buffer.c seems to be suffering from an integer
overflow issue, which may escalate to buffer overflow later.

When performing:
buffer->allocated += space + 1024; the value of buffer->allocated can actual
overflow, which will result in lesser memory being allocated/re-allocated later
in the following line:

buffer->data = (guint8*)g_realloc(buffer->data, buffer->allocated);

Later when this buffer is used to copy data to, it would result in a heap-based
buffer overflow.

Attached patch should correct the problem.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.