Ethereal-dev: Re: [ethereal-dev] Fix: malformed ISAKMP packets cause infinite loop in parse
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guy Harris wrote:
>
> The patch was line-wrapped, which meant I had to undo the line-wrapping
> in order to get the patch to apply; for example
Sorry about that. I've included the patch as an attachement this
time. Please let me know if you have any problems...
> In addition, you change
>
> length -= sizeof(*hdr);
>
> to
>
> slength -= sizeof(*hdr);
>
> without having set "slength" first; GCC complains about this:
Yep. Don't know how I missed that.
The attached patch should address both of the problems above. Here's
the md5sum hash for the attachment:
gaelic/tmp/ethereal>ls -la patch2
- -rw-rw-r-- 1 keane dev 2826 Oct 6 11:57 patch2
gaelic/tmp/ethereal>md5sum patch2
550a5cba58c450f7e98bfb8d83cadaf9 patch2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjnd9+IACgkQKCFXyIceXHxYKgCfZ8CWCJT78FAtv82MdFHfNe3H
WV4AoIQHh6VncgJhYq/CuXw66pAvDEkx
=8nwQ
-----END PGP SIGNATURE-----
--
Jack Keane OpenReach, Inc
jkeane@xxxxxxxxxxxxx 780 Route 18
(732)254-7901 x7109 East Brunswick, NJ
Beginning on 9/25, I will be signing email. You can find my
PGP public key on babel in /home/keane/PublicKey , or from
http://www.cs.rutgers.edu/~keane/PublicKey . Beginning
10/15, all sensitive internal email will be encrypted!
Index: packet-isakmp.c
===================================================================
RCS file: /cvsroot/ethereal/packet-isakmp.c,v
retrieving revision 1.28
diff -u -r1.28 packet-isakmp.c
--- packet-isakmp.c 2000/10/03 22:49:37 1.28
+++ packet-isakmp.c 2000/10/06 15:56:53
@@ -552,6 +552,7 @@
struct trans_hdr * hdr = (struct trans_hdr *)(pd + offset);
guint16 length = pntohs(&hdr->length);
+ int slength = length;
proto_item * ti = proto_tree_add_text(tree, NullTVB, offset, length, "Transform payload");
proto_tree * ntree;
@@ -590,8 +591,8 @@
}
offset += sizeof(hdr->transform_id) + sizeof(hdr->reserved2);
- length -= sizeof(*hdr);
- while (length) {
+ slength -= sizeof(*hdr);
+ while (slength>0) {
const char *str = NULL;
int ike_phase1 = 0;
guint16 type = pntohs(pd + offset) & 0x7fff;
@@ -611,7 +612,7 @@
str, type,
value2str(ike_phase1, type, val_len), val_len);
offset += 4;
- length -= 4;
+ slength -= 4;
}
else {
guint16 pack_len = 4 + val_len;
@@ -621,7 +622,7 @@
str, type,
num2str(pd + offset + 4, val_len));
offset += pack_len;
- length -= pack_len;
+ slength -= pack_len;
}
if (!IS_DATA_IN_FRAME(offset)) {
proto_tree_add_text(ntree, NullTVB, 0, 0,
@@ -940,7 +941,7 @@
offset += hdr->spi_size;
}
- if (length - sizeof(*hdr)) {
+ if (((int)length - sizeof(*hdr)) > 0) {
proto_tree_add_text(ntree, NullTVB, offset, length - sizeof(*hdr) - hdr->spi_size,
"Notification Data");
offset += (length - sizeof(*hdr) - hdr->spi_size);
@@ -1048,6 +1049,7 @@
struct cfg_hdr * hdr = (struct cfg_hdr *)(pd + offset);
guint16 length = pntohs(&hdr->length);
+ int slength = length;
proto_item * ti = proto_tree_add_text(tree, NullTVB, offset, length, "Attribute payload");
proto_tree * ntree;
@@ -1070,9 +1072,9 @@
proto_tree_add_text(ntree, NullTVB, offset, sizeof(hdr->identifier),
"Identifier: %u", pntohs(&hdr->identifier));
offset += sizeof(hdr->identifier);
- length -= sizeof(*hdr);
+ slength -= sizeof(*hdr);
- while(length) {
+ while(slength>0) {
guint16 type = pntohs(pd + offset) & 0x7fff;
guint16 val_len = pntohs(pd + offset + 2);
@@ -1080,7 +1082,7 @@
proto_tree_add_text(ntree, NullTVB, offset, 4,
"%s (%u)",cfgattrident2str(type),val_len);
offset += 4;
- length -= 4;
+ slength -= 4;
}
else {
guint pack_len = 4 + val_len;
@@ -1088,7 +1090,7 @@
proto_tree_add_text(ntree, NullTVB, offset, 4,
"%s (%se)", cfgattrident2str(type), num2str(pd + offset + 4, val_len));
offset += pack_len;
- length -= pack_len;
+ slength -= pack_len;
}
}
