Hi,
the attached patch adds some boundary checks for
URI length in WSP packets.
A test case crashing the current CVS ethereal is attached.
Regards,
Georg
Index: packet-wsp.c
===================================================================
RCS file: /cvsroot/ethereal/packet-wsp.c,v
retrieving revision 1.72
diff -u -u -r1.72 packet-wsp.c
--- packet-wsp.c 25 Jul 2003 04:11:49 -0000 1.72
+++ packet-wsp.c 27 Jul 2003 13:17:24 -0000
@@ -1413,6 +1413,7 @@
/* Length of URI and size of URILen field */
value = tvb_get_guintvar (tvb, offset, &count);
nextOffset = offset + count;
+ tvb_ensure_bytes_exist (tvb, nextOffset, value);
add_uri (wsp_tree, pinfo, tvb, offset, nextOffset);
if (tree) {
offset += (value+count); /* VERIFY */
@@ -1425,6 +1426,7 @@
uriStart = offset;
count = 0; /* Initialise count */
uriLength = tvb_get_guintvar (tvb, offset, &count);
+ tvb_ensure_bytes_exist (tvb, uriStart, uriLength);
headerStart = uriStart+count;
count = 0; /* Initialise count */
headersLength = tvb_get_guintvar (tvb, headerStart, &count);
@@ -1610,6 +1612,8 @@
guint count = 0;
guint uriLen = tvb_get_guintvar (tvb, URILenOffset, &count);
+
+ tvb_ensure_bytes_exist (tvb, URILenOffset, count+uriLen);
if (tree)
ti = proto_tree_add_uint (tree, hf_wsp_header_uri_len,tvb,URILenOffset,count,uriLen);
Attachment:
testcase1.bin
Description: Binary data
