| Bug ID |
10840
|
| Summary |
Wireshark 1.12.2 Canon BJNP proto handler flaw
|
| Product |
Wireshark
|
| Version |
1.12.2
|
| Hardware |
x86
|
| OS |
Windows 7
|
| Status |
UNCONFIRMED
|
| Severity |
Normal
|
| Priority |
Low
|
| Component |
Dissection engine (libwireshark)
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
Hi there,
let's look to Canon BJNP proto handler:
(\wireshark-1.12.2\epan\dissectors\packet-bjnp.c)
/* ------- original code start ------- */
static int dissect_bjnp (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
void *data _U_)
{
//... skipped
gint offset = 0;
//... skipped
guint32 payload_len;
//... skipped
offset++;
//... skipped
payload_len = tvb_get_ntohl (tvb, offset);
//... skipped
if (payload_len > 0) {
/* TBD: Dissect various commands */
proto_tree_add_item (bjnp_tree, hf_payload, tvb, offset, payload_len,
ENC_NA);
// flaw is here
offset += payload_len; // the "offset" variable could be overflowed and
contain an unpredictable value
}
/* ------- original code end ------- */
Patch should check possible overflow and stop execution if we get it.
/* ------- some sort of a patch start ------- */
#define MAX(x,y) ( ((x)>(y))?(x):(y) )
if (offset != 0
&& payload_len != 0
&& ((unsigned)(offset) + (unsigned)(payload_len)) <
MAX((unsigned)(offset),(unsigned)(payload_len)))
return 0;
/* ------- some sort of a patch end ------- */
Thanks.
yeno01
You are receiving this mail because:
- You are watching all bug changes.