Wireshark-bugs: [Wireshark-bugs] [Bug 10840] New: Wireshark 1.12.2 Canon BJNP proto handler flaw
Date: Thu, 08 Jan 2015 22:45:08 +0000
Bug ID 10840
Summary Wireshark 1.12.2 Canon BJNP proto handler flaw
Product Wireshark
Version 1.12.2
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter huasuhua@gmail.com

Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
Hi there,

let's look to Canon BJNP proto handler:
(\wireshark-1.12.2\epan\dissectors\packet-bjnp.c)

/* ------- original code start ------- */
static int dissect_bjnp (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
void *data _U_)
{
//... skipped
  gint        offset = 0;
//... skipped
  guint32     payload_len;

//... skipped
  offset++;
//... skipped
  payload_len = tvb_get_ntohl (tvb, offset);
//... skipped

  if (payload_len > 0) {
    /* TBD: Dissect various commands */
    proto_tree_add_item (bjnp_tree, hf_payload, tvb, offset, payload_len,
ENC_NA);
// flaw is here
    offset += payload_len; // the "offset" variable could be overflowed and
contain an unpredictable value
  }
/* ------- original code end ------- */

Patch should check possible overflow and stop execution if we get it.

/* ------- some sort of a patch start ------- */
#define MAX(x,y) ( ((x)>(y))?(x):(y) )

if (offset != 0
     && payload_len != 0
     && ((unsigned)(offset) + (unsigned)(payload_len)) <
MAX((unsigned)(offset),(unsigned)(payload_len)))
         return 0;
/* ------- some sort of a patch end ------- */


Thanks.

yeno01


You are receiving this mail because:
  • You are watching all bug changes.