Wireshark-commits: [Wireshark-commits] master 5797f60: LBMPDM: fix heap-buffer-overflow (write) in

From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Tue, 23 Oct 2018 05:09:35 +0000
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5797f602741a7505c18c2e0c505e963ca3349153
Submitter: "Anders Broman <a.broman58@xxxxxxxxx>"
Changed: branch: master
Repository: wireshark

Commits:

5797f60 by Peter Wu (peter@xxxxxxxxxxxxx):

    LBMPDM: fix heap-buffer-overflow (write) in dissect_segment_ofstable
    
    id_list and ofs_list contain offsets read directly from the packet.
    While the field type is FT_UINT32, it is somehow interpreted as signed
    number. This means that ofs_table->offset_list[id_list[idx]]=... could
    in fact result in an arbitrary write before "ofs_table->offset_list" due
    to id_list[idx] being negative.
    
    Another way for id_list[idx] to remain negative (-1) is for the loop to
    terminate before all "field_count" elements are set. Thus, remove the
    "datalen_remaining >= L_LBMPDM_OFFSET_ENTRY_T" check, if the offset is
    invalid the proto_tree_add_item accessors will throw an exception.
    
    Fixes the crash in the linked bug. Regression tested against the 8
    capture files from bug 9718, its dissection results are still the same.
    
    Bug: 15132
    Change-Id: If5d2f11ee47578acb80bc43ba7ed16adb27e0c02
    Fixes: v1.11.3-rc1-2270-g2f4ca9c8d9 ("Initial checkin of LBM aka 29West dissectors. See Bug 9718.")
    Reviewed-on: https://code.wireshark.org/review/30300
    Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
    

Actions performed:

    from  24fb3a1   dcm: Generate packet-dcm.h from DICOM standard in DocBook format
     add  5797f60   LBMPDM: fix heap-buffer-overflow (write) in dissect_segment_ofstable


Summary of changes:
 epan/dissectors/packet-lbmpdm.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)