URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=35344225fa4b9c8cf9a5fccc76917541d68f9b14
Submitter: Peter Wu (peter@xxxxxxxxxxxxx)
Changed: branch: master-2.6
Repository: wireshark
Commits:
3534422 by Darius Davis (darius@xxxxxxxxxx):
LDSS: Fix a read overrun in dissect_ldss_transfer.
dissect_ldss_transfer had a trivial read overrun: "line" was not
NUL-terminated, and strtol/g_ascii_strtoull will keep reading and discarding
any leading whitespace, so a malformed LDSS packet (with only whitespace
characters following the tag on a "Size:"/"Start:"/"Compression:" line) could
trigger a read overrun.
Let's replace the tvb_memdup with tvb_get_string_enc, which does some checking
of the input characters (which, it seems, must always be ASCII), and produces a
neat NUL-terminated string.
Testing Done: On Linux x64, ran "valgrind tshark -r fuzz-2018-04-23-14422.pcap"
without the fix (to reproduce the failure), and then with the fix, and
observed that no errors were reported anymore after the fix. 60,000 iters of
fuzz-test with ldss_filtered.pcap as input, plus 1,000 iters under valgrind.
Launched wireshark and opened ldss_filtered.pcap, and examined the dissection
of the "ldss and tcp" packets; All looks good.
Bug: 14615
Change-Id: I3fccc4ffbe315a3cff6ea03cc7db37f884b0582c
Reviewed-on: https://code.wireshark.org/review/27204
Petri-Dish: Alexis La Goutte <alexis.lagoutte@xxxxxxxxx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
(cherry picked from commit 295abe2e83ba8428e84e7ff9b2f6f94ae948fa76)
Reviewed-on: https://code.wireshark.org/review/27221
Actions performed:
from 736c975 NAS EPS: fix dissection of UE security capability IE
adds 3534422 LDSS: Fix a read overrun in dissect_ldss_transfer.
Summary of changes:
epan/dissectors/packet-ldss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)