Wireshark-commits: [Wireshark-commits] lts-1.8.2 84faf42: Add a check for an oversized record.
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Mon, 16 Jun 2014 18:50:53 +0000 (UTC)
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=84faf42556f495f2586a1480913a0cef3b9e84db Submitter: Balint Reczey (balint@xxxxxxxxxxxxxxx) Changed: branch: lts-1.8.2 Repository: wireshark Commits: df20c71 by Jakub Zawadzki (darkjames-ws@xxxxxxxxxxxx): Revert r41311, fix bug #7581 svn path=/trunk/; revision=44454 7e811ec by Jakub Zawadzki (darkjames-ws@xxxxxxxxxxxx): Fix bug #7668 Use correct field type for lcp.opt.oui svn path=/trunk/; revision=44688 73923b4 by Pascal Quantin (pascal.quantin@xxxxxxxxx): Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7666 : Check that DRDA command has a minimum length of 10 bytes to prevent a potential infinite loop svn path=/trunk/; revision=44749 5871bf1 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx): From Aditya Ambadkar via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7046 : Fix CID 703472 and (external) fuzz failure 7567: The dissect_subtlv_interface_parameters is missing the handling of BFD 2..4. For the crash patch, we decided to add the bfd2..4 in dissect_tlc function(in the diff). We plan to open a separate bug to fix dissect_subtlv_interface_parameters to make it handle BFD2..4. (Thanks to Arun Arunachalam for this analysis) From me: fix up some indentation and replace tabs with spaces (for consistency). svn path=/trunk/; revision=44801 672720c by Anders Broman (anders.broman@xxxxxxxxxxxx): Copy over: Revision 46646 - Clean up white space. Add a return where I presume it was intended to be - a 4-octet address is completely handled in that if clause, so there's no reason to fall through. Fix a comment. -------------------------------------------------------------------------------- Revision 46645 - Fix some valgrind warnings from the capture attached to https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8110 I can't reproduce the actual reported crash on trunk. -------------------------------------------------------------------------------- Revision 45646 - (try to) fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7871 increment offset to point to the first byte after the options (the code used to set an absolute position, if that was 0, we were stuck in an endless loop) -------------------------------------------------------------------------------- Revision 45059 - replaced decode_boolean_bitfield calls with itemized filters svn path=/trunk-1.8/; revision=46659 06f95d0 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx): Fix the fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7945 (or at least the complaints from Valgrind; I couldn't reproduce the crash). What part of: ~~~ * If you're thinking of using tvb_get_ptr, STOP WHAT YOU ARE DOING * IMMEDIATELY. Go take a break. Consider that tvb_get_ptr hands you * a raw, unprotected pointer that you can easily use to create a * security vulnerability or otherwise crash Wireshark. Then consider * that you can probably find a function elsewhere in this file that * does exactly what you want in a much more safe and robust manner. ~~~ did someone not read? Use tvb_get_ephemeral_stringz() instead of adding (apparently not sufficiently checked!) offsets to the result of tvb_get_ptr() and assuming that the result is a) in bounds and b) a NULL-terminated string. svn path=/trunk/; revision=46577 abd69c9 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx): Get rid of another tvb_get_ptr() abuse (just like r46577 but in a different function). svn path=/trunk/; revision=46579 53406d7 by Martin Kaiser (wireshark@xxxxxxxxx): check the length parameter for tvb_get_unicode_string() and tvb_get_ephemeral_unicode_string(), throw an exception for invalid lengths (including -1, but length==-1 does not work for other tvb string functions either) I believe this is the proper fix for https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8112 svn path=/trunk/; revision=46705 b653962 by Anders Broman (anders.broman@xxxxxxxxxxxx): Copy over:Revision 46705, Revision 43266, Revision 43263 svn path=/trunk-1.8/; revision=46760 a4ad0e3 by Martin Kaiser (wireshark@xxxxxxxxx): From Evan: sanity checks before setting a packet's total length in fragment_set_tot_len() (from me: check if fragments exist for the given id) hopefully, this fixes #8111 and #8163 without causing troubles for other protocols that use fragmentation and reassembly svn path=/trunk/; revision=46999 9223033 by Pascal Quantin (pascal.quantin@xxxxxxxxx): Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7679: Do not try to set IR header length when the profile is unknown svn path=/trunk/; revision=44700 389c484 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx): Copy over from trunk: ------------------------------------------------------------------------ r47125 | martink | 2013-01-16 16:57:34 -0500 (Wed, 16 Jan 2013) | 2 lines no need for if (tree) ------------------------------------------------------------------------ r47123 | martink | 2013-01-16 16:51:16 -0500 (Wed, 16 Jan 2013) | 5 lines don't attempt reassembly if more than 1000 consecutive fragments are missing this fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8222 ------------------------------------------------------------------------ r47098 | eapache | 2013-01-15 11:51:55 -0500 (Tue, 15 Jan 2013) | 5 lines Don't run past the end of a fragment array, either in the loop or by putting a useless sentinel in. Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8213 svn path=/trunk-1.8/; revision=47245 6a70bb1 by Gerald Combs (gerald@xxxxxxxxxxxxx): Copy over r47114 by hand. ------------------------------------------------------------------------ r47114 | eapache | 2013-01-16 06:14:05 -0800 (Wed, 16 Jan 2013) | 3 lines Changed paths: M /trunk/epan/proto.c Null the finfo pointer after we free it. Reduces (but does not completely fix) the errors from bug https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8197 ------------------------------------------------------------------------ svn path=/trunk-1.8/; revision=47281 94833eb by Evan Huus (eapache@xxxxxxxxx): Take a wild guess at what might be causing https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8197 It can't hurt, in any case. svn path=/trunk/; revision=47084 c3ecbd6 by Balint Reczey (balint@xxxxxxxxxxxxxxx): Prevent copying longer than expected NTLM SSP key svn path=/trunk/; revision=47248 c4b00a1 by Evan Huus (eapache@xxxxxxxxx): Manually rediscover r43185 to fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8274 svn path=/trunk-1.8/; revision=47381 3a27124 by Evan Huus (eapache@xxxxxxxxx): Backport with non-trivial manual intervention to fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8383 ------------------------------------------------------------------------ r44899 | etxrab | 2012-09-14 10:05:50 -0400 (Fri, 14 Sep 2012) | 9 lines From Mike Morrin: Fix pedantic compiler warnings in csn.1 dissectors. There is some tricky casting going on in csn.1 structures. To eliminate all the warnings, the function pointers needed to be moved out of the object pointer unions. Fortunately macros (mostly) hide these changes from the protocol dissector tables. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7686 ------------------------------------------------------------------------ svn path=/trunk-1.8/; revision=47888 127559e by Evan Huus (eapache@xxxxxxxxx): Backport the workaround with manual intervention: ------------------------------------------------------------------------ r47979 | eapache | 2013-03-01 14:08:30 -0500 (Fri, 01 Mar 2013) | 3 lines Add a much better workaround for bug #8382 and some expert info. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8382 ------------------------------------------------------------------------ The actual fix (when it comes) will be too intrusive to backport. svn path=/trunk-1.8/; revision=47981 2cfadc0 by Michael Mann (mmann78@xxxxxxxxxxxx): Fix potential buffer overflow in RTPS and RTPS2 dissectors by allocating enough memory to fit the "indentation space". Bug 8332 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8332) svn path=/trunk/; revision=47658 a0d6352 by Evan Huus (eapache@xxxxxxxxx): From Alyssa Milburn via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8335 Make length field unsigned so that negative values fail the bounds check and throw a regular exception before getting passed to glib (where they cause a program-ending assert failure instead). svn path=/trunk/; revision=47672 db84d90 by Jaap Keuter (jaap.keuter@xxxxxxxxx): From Alyssa Milburn: This patch adds a check for a zero count to the existing sanity check code. From me: In addition drop superfluous sanity check. svn path=/trunk/; revision=47692 42fe08e by Michael Mann (mmann78@xxxxxxxxxxxx): Bugfix DoS in CIMD dissector. Bug 8346 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8346) svn path=/trunk/; revision=47708 586cdd6 by Gerald Combs (gerald@xxxxxxxxxxxxx): Copy over revisions from the trunk: ------------------------------------------------------------------------ r48010 | eapache | 2013-03-02 08:23:21 -0800 (Sat, 02 Mar 2013) | 4 lines Changed paths: M /trunk/epan/dissectors/packet-dtls.c Pass the same offset to tvb_ensure_bytes_exist and fragment_add. One minor part of https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8380 ------------------------------------------------------------------------ Copy over with manual intervention: ------------------------------------------------------------------------ r48011 | eapache | 2013-03-02 08:39:56 -0800 (Sat, 02 Mar 2013) | 23 lines Changed paths: M /trunk/epan/exceptions.h M /trunk/epan/reassemble.c M /trunk/epan/show_exception.c Define a new exception for reassembly errors, and throw it in several cases instead of using DISSECTOR_ASSERT. When a dissector passes bad data to the reassembly machine, that isn't necessarily the dissector's fault - the data may come straight from the packet, and the dissector may not have enough information to know it's bad without telling the reassembly machine in the first place. Also fix a bug in the reassembly machine. If it were given a fragment and all of the following conditions were met: - the other associated fragments were already marked as done (reassembled) - the fragment went beyond the end of the conceptual reassembled buffer - the dissector had not set the PARTIAL_REASSEMBLY flag then the reassembly machine would incorrectly think there was an overlap and run past the end of the already-reassembled buffer. Should fix the rest of https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8380 #BACKPORT This is probably too big and intrusive to backport directly, and parts of it will need adapting anyways since reassemble.c has changed. But the bug exists and crashes in 1.6 and 1.8, so we'll have to do something. ------------------------------------------------------------------------ Update the release notes. svn path=/trunk-1.8/; revision=48112 Copy over from trunk ------------------------------------------------------------------------ r48123 | eapache | 2013-03-05 19:39:35 -0500 (Tue, 05 Mar 2013) | 5 lines Followup to r48011, answering my own XXX comment: No, ReportedBoundsError is not the right thing to throw, ReassemblyError is. That's why I added it in the first place! ------------------------------------------------------------------------ svn path=/trunk-1.8/; revision=48124 4d84f28 by Evan Huus (eapache@xxxxxxxxx): Manually backport more of r48011. Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8441 for 1.8 branch. svn path=/trunk-1.8/; revision=48132 8d066fa by Pascal Quantin (pascal.quantin@xxxxxxxxx): Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8493 : Use proto_tree_add_item instead of proto_tree_add_bits_item to display Used Cipher svn path=/trunk/; revision=48393 Conflicts: epan/dissectors/packet-gtpv2.c d2384fc by Gerald Combs (gerald@xxxxxxxxxxxxx): Copy over with manual intervention: ------------------------------------------------------------------------ r48944 | eapache | 2013-04-20 14:20:00 -0700 (Sat, 20 Apr 2013) | 5 lines Changed paths: M /trunk/epan/dissectors/packet-ber.c Initialize branch_taken right at the top of dissect_ber_choice so that the caller can depend on it being initialized even in peculiar error conditions. Fixes the other half of https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8599 ------------------------------------------------------------------------ Update the release notes. svn path=/trunk-1.8/; revision=49265 Conflicts: docbook/release-notes.xml ab4742a by Michael Mann (mmann78@xxxxxxxxxxxx): NULL terminate bit field list. Bug 8638 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8638) svn path=/trunk/; revision=49214 42292ec by Michael Mann (mmann78@xxxxxxxxxxxx): dcp-etsi dissector: new formula for rx_min Bug 8231 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8231) svn path=/trunk/; revision=47295 7a7bc7e by Evan Huus (eapache@xxxxxxxxx): Bump two guint16 to guint32 to prevent overflow when reassembling a large number of fragments, and add an extra bounds check. Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8540 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8541 svn path=/trunk/; revision=48644 afcb065 by Evan Huus (eapache@xxxxxxxxx): Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8481 Trivially wrong format string being passed to val_to_str(). svn path=/trunk/; revision=48332 Conflicts: epan/dissectors/packet-mpeg-dsmcc.c 736eea7 by Evan Huus (eapache@xxxxxxxxx): Change some ints to guints (as they already are in trunk) so that negative values don't falsely pass the bounds checks and cause a crash. Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8499 svn path=/trunk-1.8/; revision=48419 3b8fdc0 by Anders Broman (anders.broman@xxxxxxxxxxxx): Don't access nbap_dch_chnl_info if the index is > maxNrOfDCHs svn path=/trunk/; revision=49418 Conflicts: epan/dissectors/packet-nbap.c d83ed06 by Chris Maynard (Christopher.Maynard@xxxxxxxxx): Don't pass the return value of tvb_length_remaining() to fragment_add_check(), as it might have been -1. Fixes Coverity CID 280510: Improper use of negative value. svn path=/trunk/; revision=43716 387cd02 by Bill Meier (wmeier@xxxxxxxxxxx): Fix potential buffer overflow crash; (Bug #7880). Rework code logic slightly so same code path (and tests) used whether or not 'if(tree)'. svn path=/trunk/; revision=46128 f71d962 by Pascal Quantin (pascal.quantin@xxxxxxxxx): From Sylvain Munaut via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7664 : packet-gmr1_bcch: Add guards in the SI1/2 choice of segment Although the CSN1 dissector itself will just stop if there is no matching segment, it will leave the choice field uninitizalized and so when we use it to fill some other text, it crashes ... To protect against that, we put a last choice entry that will always match. As a bonus, it triggers an explicit error in CSN so you know something is wrong. svn path=/trunk/; revision=44674 bea81cc by Evan Huus (eapache@xxxxxxxxx): Manually backport parts of ------------------------------------------------------------------------ r46158 | wmeier | 2012-11-23 16:11:47 -0500 (Fri, 23 Nov 2012) | 13 lines Changed paths: M /trunk/epan/dissectors/packet-rdp.c Improve dissection; - Properly handle DataBlocks with optional fields at end; - Fix a few field dissections; General code cleanup; - Remove almost all tests using tvb_length_remaining(): If there's not enough data available, just let an exception be thrown. - Fix a memory leak; - Simplify code in various places. - Add a reference to the (a ?) Microsoft spec for RDP. Fixes Bug #7862 in a more complete manner than SVN #45566. ------------------------------------------------------------------------ Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8729 which is really a tangential duplicate of https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7862 svn path=/trunk-1.8/; revision=49679 cbd8dbe by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx): Fix the infinite recursion problem reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8733 : We can't solely rely on the port in the URI to determine whether we will be recursively called by decode_tcp_ports(). Instead also check the conversation entry too: if we find that we are the subdissector for this conversation (which we might be--without the port being in our list of ports--if we heuristically picked up the conversation or the user did Decode-As), just bail out and dissect the payload as data. svn path=/trunk/; revision=49623 b1b8c29 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx): Fix the wiretap fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8760 : Check that the record length we got out of the file is at least as big as stats block trailer; if not, declare the file bad. svn path=/trunk/; revision=49739 7dda211 by Evan Huus (eapache@xxxxxxxxx): From myself and Julian Cable via (and fixing) https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8717 Don't add a DCP-ETSI fragment for reassembly if the length is wrong. svn path=/trunk/; revision=49802 dfbe5b9 by Martin Kaiser (wireshark@xxxxxxxxx): fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8916 reported by Laurent Butti a TPDU's length field must never be 0 this length field was decremented without prior checking, allocating length-1 bytes of memory caused a dissector assert svn path=/trunk/; revision=50474 a6c7a05 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx): Copy over with manual intervention: ------------------------------------------------------------------------ r50672 | morriss | 2013-07-16 13:59:26 -0400 (Tue, 16 Jul 2013) | 8 lines Changed paths: M /trunk/epan/dissectors/packet-gsm_a_common.c Fix the fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8940 : Test whether idx is in range or not (by seeing if it was found in the value_string) before using it as an index into any of the elem_var arrays. This fuzz failure was in elem_telv() but apply the fix to all the elem_*() functions. ------------------------------------------------------------------------ svn path=/trunk-1.8/; revision=50675 50fac68 by Gerald Combs (gerald@xxxxxxxxxxxxx): Copy over r49697 with manual intervention: ------------------------------------------------------------------------ r49697 | guy | 2013-06-02 11:09:13 -0700 (Sun, 02 Jun 2013) | 6 lines Changed paths: M /trunk/wiretap/netmon.c Initialize the frame_table_size field of the private data to 0 and the frame_table field to NULL before trying to allocate the frame table, so that if we fail before we allocate the frame table, the attempt to free the private data doesn't crash due to the frame_table field containing a bogus pointer. ------------------------------------------------------------------------ Update the release notes. svn path=/trunk-1.8/; revision=50684 Conflicts: docbook/release-notes.xml 88fffb6 by Evan Huus (eapache@xxxxxxxxx): Ensure that the length parameter to dissect_per_length_determinant is initialized even in cases where we error or otherwise fail to dissect. Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8722 Thanks to Pascal for his help digging through this one. svn path=/trunk/; revision=49985 0db1406 by Evan Huus (eapache@xxxxxxxxx): From Peter Hatina via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9104 Fix double-free on corrupt netmon file. Wiretap frees the struct for us, we don't need to free it as well. svn path=/trunk-1.8/; revision=51781 b0e171f by Gerald Combs (gerald@xxxxxxxxxxxxx): Copy over r49673 from the trunk: ------------------------------------------------------------------------ r49673 | guy | 2013-05-31 23:48:37 -0700 (Fri, 31 May 2013) | 7 lines Changed paths: M /trunk/epan/filesystem.c M /trunk/wiretap/netmon.c When allocating the frame table for a NetMon file, use g_try_malloc(), and fail with ENOMEM if that fails (and the frame table is not empty - g_try_malloc() will return NULL if you ask it to allocate zero bytes). Have an error message for ENOMEM on an open that attempts to tell the user what the problem is without making their head explode. ------------------------------------------------------------------------ Update the release notes. svn path=/trunk-1.8/; revision=51911 Conflicts: docbook/release-notes.xml c480618 by Evan Huus (eapache@xxxxxxxxx): Copy over revisions from the trunk: ------------------------------------------------------------------------ r51213 | eapache | 2013-08-08 06:50:11 -0400 (Thu, 08 Aug 2013) | 4 lines Correctly check bounds on dim_max. Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9019 ------------------------------------------------------------------------ r51516 | eapache | 2013-08-25 13:31:15 -0400 (Sun, 25 Aug 2013) | 4 lines Make sure our ldap_call_response_t struct is always completely initialized, fixing a "Conditional jump or move depends on uninitialised value" error found by valgrind fuzzing. ------------------------------------------------------------------------ svn path=/trunk-1.8/; revision=51624 91ee1b1 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx): Copy over revisions from trunk: ------------------------------------------------------------------------ r51195 | martink | 2013-08-07 16:18:11 -0400 (Wed, 07 Aug 2013) | 4 lines Changed paths: M /trunk/asn1/nbap/nbap.cnf M /trunk/epan/dissectors/packet-nbap.c add a range check for dch_id this should fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9005 ------------------------------------------------------------------------ svn path=/trunk-1.8/; revision=51230 6922467 by Evan Huus (eapache@xxxxxxxxx): _lookup_extended takes a pointer to the key-pointer since it has to set the old key pointer value. _insert just takes the key-pointer, not a pointer to it. Passing a pointer-to-a-pointer causes the outer pointer to be dereferenced as a struct (when it in fact points to a pointer to struct) and leads to incorrect behaviour and uninitialized/out-of-bounds memory accesses. Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9139 svn path=/trunk/; revision=52036 b97763c by Gerald Combs (gerald@xxxxxxxxxxxxx): Copy over r52154 by hand: ------------------------------------------------------------------------ r52154 | etxrab | 2013-09-20 07:19:31 -0700 (Fri, 20 Sep 2013) | 1 line Changed paths: M /trunk/asn1/nbap/nbap.cnf M /trunk/asn1/nbap/packet-nbap-template.c M /trunk/epan/dissectors/packet-nbap.c DCH-ID can be 255 ------------------------------------------------------------------------ Update the release notes. svn path=/trunk-1.8/; revision=52958 ed95ddc by Pascal Quantin (pascal.quantin@xxxxxxxxx): Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9228 : Ensure that decompressed tvb exists before trying to add it to the tree svn path=/trunk/; revision=52354 74f74f5 by Gerald Combs (gerald@xxxxxxxxxxxxx): Copy over r52570 with manual intervention: ------------------------------------------------------------------------ r52570 | cmaynard | 2013-10-12 11:03:34 -0700 (Sat, 12 Oct 2013) | 4 lines Changed paths: M /trunk/epan/dissectors/packet-tcp.c Don't assume that tvb_length_remaining() or tvb_reported_length_remaining() always return a value >= 0. Part of fix for https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9263 #BACKPORT(1.10,1.8) ------------------------------------------------------------------------ Update the release notes. svn path=/trunk-1.8/; revision=52962 Conflicts: docbook/release-notes.xml 04a1625 by Gerald Combs (gerald@xxxxxxxxxxxxx): Copy over r53626 with manual intervention. ------------------------------------------------------------------------ r53626 | rbalint | 2013-11-28 08:39:04 -0800 (Thu, 28 Nov 2013) | 5 lines Changed paths: M /trunk/epan/dissectors/packet-ntlmssp.c Support long Domain Names in NTLMSSP v2 ... instead of crashing on them. :-) Discovered by Garming Sam <garming@xxxxxxxxxxxxxxx> ------------------------------------------------------------------------ Update the release notes. svn path=/trunk-1.8/; revision=54146 Conflicts: docbook/release-notes.asciidoc 98299fc by Michael Mann (mmann78@xxxxxxxxxxxx): Remove static packet_info *gpinfo and just use the packet_info provided by the function. svn path=/trunk/; revision=49145 Conflicts: epan/dissectors/packet-bssgp.c epan/dissectors/packet-gsm_a_bssmap.c epan/dissectors/packet-gsm_sms.c epan/dissectors/packet-nas_eps.c epan/dissectors/packet-sgsap.c b490a40 by Evan Huus (eapache@xxxxxxxxx): Harden nfs_name_snoop_add_name against various malformed inputs. Thanks to Moshe Kaplan for the report. Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9672 and some other cases in the same vein. svn path=/trunk/; revision=54875 Conflicts: epan/dissectors/packet-nfs.c Change-Id: I7b64ad4475ef7701dd064cad98d5567ae3847735 598c766 by Evan Huus (eapache@xxxxxxxxx): Don't mix emem and glib memory and init routines. The seasonal memory is freed before the init routine is called, leading to a whole bunch of use-after-free errors. Fixes bug #9802 (and duplicates). This introduces a few minor leaks but I can't find an easy way to add additional free calls that doesn't lead to double-free errors. Change-Id: I1536fcb8e96f5560ad366169e815f62967b3e40d Reviewed-on: https://code.wireshark.org/review/407 Reviewed-by: Evan Huus <eapache@xxxxxxxxx> 84faf42 by Gerald Combs (gerald@xxxxxxxxxxxxx): Add a check for an oversized record. For now we declare the file corrupt and give up. We may want to handle this more gracefully. Fixes a vulnerability discovered by Wesley Neelen (bug 9843). Remove the RCS ID and add modelines. Change-Id: I418938d7d6485b27cc51cf1dde50bc42dabf8c85 Reviewed-on: https://code.wireshark.org/review/533 Reviewed-by: Gerald Combs <gerald@xxxxxxxxxxxxx> (cherry picked from commit 34144b8d4da141e8aa9b99221855edc9f4c73ad8) Reviewed-on: https://code.wireshark.org/review/534 Conflicts: wiretap/mpeg.c Actions performed: from db4cb96 Build 1.8.2. new df20c71 Revert r41311, fix bug #7581 new 7e811ec Fix bug #7668 new 73923b4 Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7666 : Check that DRDA command has a minimum length of 10 bytes to prevent a potential infinite loop new 5871bf1 From Aditya Ambadkar via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7046 : new 672720c Copy over: Revision 46646 - Clean up white space. new 06f95d0 Fix the fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7945 (or at least the complaints from Valgrind; I couldn't reproduce the crash). new abd69c9 Get rid of another tvb_get_ptr() abuse (just like r46577 but in a different function). new 53406d7 check the length parameter for tvb_get_unicode_string() and tvb_get_ephemeral_unicode_string(), throw an exception for invalid lengths (including -1, but length==-1 does not work for other tvb string functions either) new b653962 Copy over:Revision 46705, Revision 43266, Revision 43263 new a4ad0e3 From Evan: sanity checks before setting a packet's total length in fragment_set_tot_len() new 9223033 Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7679: Do not try to set IR header length when the profile is unknown new 389c484 Copy over from trunk: new 6a70bb1 Copy over r47114 by hand. new 94833eb Take a wild guess at what might be causing https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8197 new c3ecbd6 Prevent copying longer than expected NTLM SSP key new c4b00a1 Manually rediscover r43185 to fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8274 new 3a27124 Backport with non-trivial manual intervention to fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8383 new 127559e Backport the workaround with manual intervention: ------------------------------------------------------------------------ r47979 | eapache | 2013-03-01 14:08:30 -0500 (Fri, 01 Mar 2013) | 3 lines new 2cfadc0 Fix potential buffer overflow in RTPS and RTPS2 dissectors by allocating enough memory to fit the "indentation space". new a0d6352 From Alyssa Milburn via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8335 new db84d90 From Alyssa Milburn: This patch adds a check for a zero count to the existing sanity check code. new 42fe08e Bugfix DoS in CIMD dissector. Bug 8346 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8346) new 586cdd6 Copy over revisions from the trunk: new 4d84f28 Manually backport more of r48011. new 8d066fa Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8493 : Use proto_tree_add_item instead of proto_tree_add_bits_item to display Used Cipher new d2384fc Copy over with manual intervention: new ab4742a NULL terminate bit field list. Bug 8638 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8638) new 42292ec dcp-etsi dissector: new formula for rx_min Bug 8231 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8231) new 7a7bc7e Bump two guint16 to guint32 to prevent overflow when reassembling a large number of fragments, and add an extra bounds check. new afcb065 Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8481 new 736eea7 Change some ints to guints (as they already are in trunk) so that negative values don't falsely pass the bounds checks and cause a crash. new 3b8fdc0 Don't access nbap_dch_chnl_info if the index is > maxNrOfDCHs new d83ed06 Don't pass the return value of tvb_length_remaining() to fragment_add_check(), as it might have been -1. Fixes Coverity CID 280510: Improper use of negative value. new 387cd02 Fix potential buffer overflow crash; (Bug #7880). Rework code logic slightly so same code path (and tests) used whether or not 'if(tree)'. new f71d962 From Sylvain Munaut via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7664 : packet-gmr1_bcch: Add guards in the SI1/2 choice of segment new bea81cc Manually backport parts of ------------------------------------------------------------------------ r46158 | wmeier | 2012-11-23 16:11:47 -0500 (Fri, 23 Nov 2012) | 13 lines Changed paths: M /trunk/epan/dissectors/packet-rdp.c new cbd8dbe Fix the infinite recursion problem reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8733 : new b1b8c29 Fix the wiretap fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8760 : new 7dda211 From myself and Julian Cable via (and fixing) https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8717 new dfbe5b9 fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8916 reported by Laurent Butti new a6c7a05 Copy over with manual intervention: new 50fac68 Copy over r49697 with manual intervention: new 88fffb6 Ensure that the length parameter to dissect_per_length_determinant is initialized even in cases where we error or otherwise fail to dissect. new 0db1406 From Peter Hatina via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9104 new b0e171f Copy over r49673 from the trunk: new c480618 Copy over revisions from the trunk: new 91ee1b1 Copy over revisions from trunk: new 6922467 _lookup_extended takes a pointer to the key-pointer since it has to set the old key pointer value. _insert just takes the key-pointer, not a pointer to it. Passing a pointer-to-a-pointer causes the outer pointer to be dereferenced as a struct (when it in fact points to a pointer to struct) and leads to incorrect behaviour and uninitialized/out-of-bounds memory accesses. new b97763c Copy over r52154 by hand: new ed95ddc Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9228 : Ensure that decompressed tvb exists before trying to add it to the tree new 74f74f5 Copy over r52570 with manual intervention: new 04a1625 Copy over r53626 with manual intervention. new 98299fc Remove static packet_info *gpinfo and just use the packet_info provided by the function. new b490a40 Harden nfs_name_snoop_add_name against various malformed inputs. Thanks to Moshe Kaplan for the report. new 598c766 Don't mix emem and glib memory and init routines. new 84faf42 Add a check for an oversized record. The 56 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: asn1/ldap/packet-ldap-template.c | 4 +- asn1/nbap/nbap.cnf | 7 ++- asn1/nbap/packet-nbap-template.c | 2 +- epan/dissectors/packet-acn.c | 4 +- epan/dissectors/packet-ber.c | 7 ++- epan/dissectors/packet-bssgp.c | 64 +++++++++++---------- epan/dissectors/packet-capwap.c | 6 +- epan/dissectors/packet-cimd.c | 6 +- epan/dissectors/packet-clnp.c | 39 +++++++------ epan/dissectors/packet-csn1.c | 36 ++++++------ epan/dissectors/packet-csn1.h | 92 +++++++++++++++--------------- epan/dissectors/packet-dcp-etsi.c | 29 ++++++---- epan/dissectors/packet-drda.c | 5 ++ epan/dissectors/packet-dtls.c | 2 +- epan/dissectors/packet-dtn.c | 25 +++++---- epan/dissectors/packet-dvbci.c | 12 ++-- epan/dissectors/packet-frame.c | 17 ++++++ epan/dissectors/packet-gmr1_bcch.c | 2 + epan/dissectors/packet-gsm_a_bssmap.c | 43 ++++++-------- epan/dissectors/packet-gsm_a_common.c | 96 ++++++++++++++++++++++++-------- epan/dissectors/packet-gsm_bssmap_le.c | 10 ++-- epan/dissectors/packet-gsm_rlcmac.c | 12 ++-- epan/dissectors/packet-gsm_rlcmac.h | 8 +-- epan/dissectors/packet-gsm_sms.c | 57 +++++++++---------- epan/dissectors/packet-gtpv2.c | 16 +++--- epan/dissectors/packet-hsrp.c | 10 +++- epan/dissectors/packet-http.c | 28 +++++++--- epan/dissectors/packet-ieee802154.c | 4 +- epan/dissectors/packet-ldap.c | 12 ++-- epan/dissectors/packet-ldp.c | 20 ++++--- epan/dissectors/packet-mount.c | 2 +- epan/dissectors/packet-mpeg-dsmcc.c | 2 +- epan/dissectors/packet-ms-mms.c | 26 +++++++-- epan/dissectors/packet-nas_eps.c | 39 ++++++------- epan/dissectors/packet-nbap.c | 77 +++++++++++++------------ ... 23 lines suppressed ...
- Prev by Date: [Wireshark-commits] master c607a3f: Add a preference to use Japanese ISUP TTC version with 13 bit CIC.
- Next by Date: [Wireshark-commits] master caf5e59: Undo Graham's change to find the "correct" fix
- Previous by thread: [Wireshark-commits] master c607a3f: Add a preference to use Japanese ISUP TTC version with 13 bit CIC.
- Next by thread: [Wireshark-commits] master caf5e59: Undo Graham's change to find the "correct" fix
- Index(es):