Wireshark-commits: [Wireshark-commits] lts-1.8.2 84faf42: Add a check for an oversized record.
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Mon, 16 Jun 2014 18:50:53 +0000 (UTC)
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=84faf42556f495f2586a1480913a0cef3b9e84db
Submitter: Balint Reczey (balint@xxxxxxxxxxxxxxx)
Changed: branch: lts-1.8.2
Repository: wireshark

Commits:

df20c71 by Jakub Zawadzki (darkjames-ws@xxxxxxxxxxxx):

    Revert r41311, fix bug #7581
    
    svn path=/trunk/; revision=44454
    

7e811ec by Jakub Zawadzki (darkjames-ws@xxxxxxxxxxxx):

    Fix bug #7668
    
    Use correct field type for lcp.opt.oui
    
    svn path=/trunk/; revision=44688
    

73923b4 by Pascal Quantin (pascal.quantin@xxxxxxxxx):

    Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7666 :
    Check that DRDA command has a minimum length of 10 bytes to prevent a potential infinite loop
    
    svn path=/trunk/; revision=44749
    

5871bf1 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx):

    From Aditya Ambadkar via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7046 :
    
    Fix CID 703472 and (external) fuzz failure 7567:
    
    The dissect_subtlv_interface_parameters is missing the handling of BFD 2..4.
    For the crash patch, we decided to add the bfd2..4 in dissect_tlc function(in
    the diff). We plan to open a separate bug to fix
    dissect_subtlv_interface_parameters to make it handle BFD2..4. (Thanks to Arun
    Arunachalam for this analysis)
    
    From me: fix up some indentation and replace tabs with spaces (for consistency).
    
    svn path=/trunk/; revision=44801
    

672720c by Anders Broman (anders.broman@xxxxxxxxxxxx):

    Copy over: Revision 46646 - Clean up white space.
    
    Add a return where I presume it was intended to be - a 4-octet address
    is completely handled in that if clause, so there's no reason to fall
    through.
    
    Fix a comment.
    --------------------------------------------------------------------------------
    Revision 46645 - Fix some valgrind warnings from the capture attached to
    https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8110
    
    I can't reproduce the actual reported crash on trunk.
    
    --------------------------------------------------------------------------------
    Revision 45646 - (try to) fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7871
    
    increment offset to point to the first byte after the options
    (the code used to set an absolute position, if that was 0, we were stuck
     in an endless loop)
    --------------------------------------------------------------------------------
    Revision 45059 - replaced decode_boolean_bitfield calls with itemized filters
    
    svn path=/trunk-1.8/; revision=46659
    

06f95d0 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx):

    Fix the fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7945 (or at least the complaints from Valgrind; I couldn't reproduce the crash).
    
    What part of:
    
    ~~~
     * If you're thinking of using tvb_get_ptr, STOP WHAT YOU ARE DOING
     * IMMEDIATELY. Go take a break. Consider that tvb_get_ptr hands you
     * a raw, unprotected pointer that you can easily use to create a
     * security vulnerability or otherwise crash Wireshark. Then consider
     * that you can probably find a function elsewhere in this file that
     * does exactly what you want in a much more safe and robust manner.
    ~~~
    
    did someone not read?
    
    Use tvb_get_ephemeral_stringz() instead of adding (apparently not sufficiently
    checked!) offsets to the result of tvb_get_ptr() and assuming that the result
    is a) in bounds and b) a NULL-terminated string.
    
    svn path=/trunk/; revision=46577
    

abd69c9 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx):

    Get rid of another tvb_get_ptr() abuse (just like r46577 but in a different function).
    
    svn path=/trunk/; revision=46579
    

53406d7 by Martin Kaiser (wireshark@xxxxxxxxx):

    check the length parameter for tvb_get_unicode_string() and tvb_get_ephemeral_unicode_string(), throw an exception for invalid lengths (including -1, but length==-1 does not work for other tvb string functions either)
    
    I believe this is the proper fix for
    https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8112
    
    svn path=/trunk/; revision=46705
    

b653962 by Anders Broman (anders.broman@xxxxxxxxxxxx):

    Copy over:Revision 46705, Revision 43266, Revision 43263
    
    svn path=/trunk-1.8/; revision=46760
    

a4ad0e3 by Martin Kaiser (wireshark@xxxxxxxxx):

    From Evan: sanity checks before setting a packet's total length in fragment_set_tot_len()
    
    (from me: check if fragments exist for the given id)
    
    hopefully, this fixes #8111 and #8163 without causing troubles for other
    protocols that use fragmentation and reassembly
    
    svn path=/trunk/; revision=46999
    

9223033 by Pascal Quantin (pascal.quantin@xxxxxxxxx):

    Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7679: Do not try to set IR header length when the profile is unknown
    
    svn path=/trunk/; revision=44700
    

389c484 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx):

    Copy over from trunk:
    
        ------------------------------------------------------------------------
        r47125 | martink | 2013-01-16 16:57:34 -0500 (Wed, 16 Jan 2013) | 2 lines
    
        no need for if (tree)
    
        ------------------------------------------------------------------------
        r47123 | martink | 2013-01-16 16:51:16 -0500 (Wed, 16 Jan 2013) | 5 lines
    
        don't attempt reassembly if more than 1000 consecutive fragments are
        missing
    
        this fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8222
    
        ------------------------------------------------------------------------
        r47098 | eapache | 2013-01-15 11:51:55 -0500 (Tue, 15 Jan 2013) | 5 lines
    
        Don't run past the end of a fragment array, either in the loop or by putting a
        useless sentinel in.
    
        Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8213
    
    svn path=/trunk-1.8/; revision=47245
    

6a70bb1 by Gerald Combs (gerald@xxxxxxxxxxxxx):

    Copy over r47114 by hand.
    
      ------------------------------------------------------------------------
      r47114 | eapache | 2013-01-16 06:14:05 -0800 (Wed, 16 Jan 2013) | 3 lines
      Changed paths:
         M /trunk/epan/proto.c
    
      Null the finfo pointer after we free it. Reduces (but does not completely fix)
      the errors from bug https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8197
      ------------------------------------------------------------------------
    
    svn path=/trunk-1.8/; revision=47281
    

94833eb by Evan Huus (eapache@xxxxxxxxx):

    Take a wild guess at what might be causing https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8197
    
    It can't hurt, in any case.
    
    svn path=/trunk/; revision=47084
    

c3ecbd6 by Balint Reczey (balint@xxxxxxxxxxxxxxx):

    Prevent copying longer than expected NTLM SSP key
    
    svn path=/trunk/; revision=47248
    

c4b00a1 by Evan Huus (eapache@xxxxxxxxx):

    Manually rediscover r43185 to fix
    https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8274
    
    svn path=/trunk-1.8/; revision=47381
    

3a27124 by Evan Huus (eapache@xxxxxxxxx):

    Backport with non-trivial manual intervention to fix
    https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8383
    
    ------------------------------------------------------------------------
    r44899 | etxrab | 2012-09-14 10:05:50 -0400 (Fri, 14 Sep 2012) | 9 lines
    
    From Mike Morrin:
    Fix pedantic compiler warnings in csn.1 dissectors.
    
    There is some tricky casting going on in csn.1 structures.  To eliminate all
    the warnings, the function pointers needed to be moved out of the object
    pointer unions.  Fortunately macros (mostly) hide these changes from the
    protocol dissector tables.
    
    https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7686
    ------------------------------------------------------------------------
    
    svn path=/trunk-1.8/; revision=47888
    

127559e by Evan Huus (eapache@xxxxxxxxx):

    Backport the workaround with manual intervention:
    ------------------------------------------------------------------------
    r47979 | eapache | 2013-03-01 14:08:30 -0500 (Fri, 01 Mar 2013) | 3 lines
    
    Add a much better workaround for bug #8382 and some expert info.
    https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8382
    
    ------------------------------------------------------------------------
    The actual fix (when it comes) will be too intrusive to backport.
    
    svn path=/trunk-1.8/; revision=47981
    

2cfadc0 by Michael Mann (mmann78@xxxxxxxxxxxx):

    Fix potential buffer overflow in RTPS and RTPS2 dissectors by allocating enough memory to fit the "indentation space".
    
    Bug 8332 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8332)
    
    svn path=/trunk/; revision=47658
    

a0d6352 by Evan Huus (eapache@xxxxxxxxx):

    From Alyssa Milburn via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8335
    
    Make length field unsigned so that negative values fail the bounds check and
    throw a regular exception before getting passed to glib (where they cause a
    program-ending assert failure instead).
    
    svn path=/trunk/; revision=47672
    

db84d90 by Jaap Keuter (jaap.keuter@xxxxxxxxx):

    From Alyssa Milburn:
    This patch adds a check for a zero count to the existing sanity check code.
    
    From me:
    In addition drop superfluous sanity check.
    
    svn path=/trunk/; revision=47692
    

42fe08e by Michael Mann (mmann78@xxxxxxxxxxxx):

    Bugfix DoS in CIMD dissector.  Bug 8346 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8346)
    
    svn path=/trunk/; revision=47708
    

586cdd6 by Gerald Combs (gerald@xxxxxxxxxxxxx):

    Copy over revisions from the trunk:
    
      ------------------------------------------------------------------------
      r48010 | eapache | 2013-03-02 08:23:21 -0800 (Sat, 02 Mar 2013) | 4 lines
      Changed paths:
         M /trunk/epan/dissectors/packet-dtls.c
    
      Pass the same offset to tvb_ensure_bytes_exist and fragment_add.
    
      One minor part of https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8380
      ------------------------------------------------------------------------
    
    Copy over with manual intervention:
    
      ------------------------------------------------------------------------
      r48011 | eapache | 2013-03-02 08:39:56 -0800 (Sat, 02 Mar 2013) | 23 lines
      Changed paths:
         M /trunk/epan/exceptions.h
         M /trunk/epan/reassemble.c
         M /trunk/epan/show_exception.c
    
      Define a new exception for reassembly errors, and throw it in several cases
      instead of using DISSECTOR_ASSERT. When a dissector passes bad data to the
      reassembly machine, that isn't necessarily the dissector's fault - the data may
      come straight from the packet, and the dissector may not have enough information
      to know it's bad without telling the reassembly machine in the first place.
    
      Also fix a bug in the reassembly machine. If it were given a fragment and all of
      the following conditions were met:
      - the other associated fragments were already marked as done (reassembled)
      - the fragment went beyond the end of the conceptual reassembled buffer
      - the dissector had not set the PARTIAL_REASSEMBLY flag
      then the reassembly machine would incorrectly think there was an overlap and
      run past the end of the already-reassembled buffer.
    
      Should fix the rest of
      https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8380
    
      #BACKPORT
      This is probably too big and intrusive to backport directly, and parts of it
      will need adapting anyways since reassemble.c has changed. But the bug exists
      and crashes in 1.6 and 1.8, so we'll have to do something.
      ------------------------------------------------------------------------
    
    Update the release notes.
    
    svn path=/trunk-1.8/; revision=48112
    
    Copy over from trunk
    
    ------------------------------------------------------------------------
    r48123 | eapache | 2013-03-05 19:39:35 -0500 (Tue, 05 Mar 2013) | 5 lines
    
    Followup to r48011, answering my own XXX comment:
    
    No, ReportedBoundsError is not the right thing to throw, ReassemblyError is.
    That's why I added it in the first place!
    
    ------------------------------------------------------------------------
    
    svn path=/trunk-1.8/; revision=48124
    

4d84f28 by Evan Huus (eapache@xxxxxxxxx):

    Manually backport more of r48011.
    
    Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8441 for 1.8 branch.
    
    svn path=/trunk-1.8/; revision=48132
    

8d066fa by Pascal Quantin (pascal.quantin@xxxxxxxxx):

    Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8493 :
    Use proto_tree_add_item instead of proto_tree_add_bits_item to display Used Cipher
    
    svn path=/trunk/; revision=48393
    
    Conflicts:
    	epan/dissectors/packet-gtpv2.c
    

d2384fc by Gerald Combs (gerald@xxxxxxxxxxxxx):

    Copy over with manual intervention:
    
      ------------------------------------------------------------------------
      r48944 | eapache | 2013-04-20 14:20:00 -0700 (Sat, 20 Apr 2013) | 5 lines
      Changed paths:
         M /trunk/epan/dissectors/packet-ber.c
    
      Initialize branch_taken right at the top of dissect_ber_choice so that the
      caller can depend on it being initialized even in peculiar error conditions.
    
      Fixes the other half of https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8599
      ------------------------------------------------------------------------
    
    Update the release notes.
    
    svn path=/trunk-1.8/; revision=49265
    
    Conflicts:
    	docbook/release-notes.xml
    

ab4742a by Michael Mann (mmann78@xxxxxxxxxxxx):

    NULL terminate bit field list.  Bug 8638 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8638)
    
    svn path=/trunk/; revision=49214
    

42292ec by Michael Mann (mmann78@xxxxxxxxxxxx):

    dcp-etsi dissector: new formula for rx_min
    Bug 8231 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8231)
    
    svn path=/trunk/; revision=47295
    

7a7bc7e by Evan Huus (eapache@xxxxxxxxx):

    Bump two guint16 to guint32 to prevent overflow when reassembling a large
    number of fragments, and add an extra bounds check.
    
    Fixes
    https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8540
    https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8541
    
    svn path=/trunk/; revision=48644
    

afcb065 by Evan Huus (eapache@xxxxxxxxx):

    Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8481
    
    Trivially wrong format string being passed to val_to_str().
    
    svn path=/trunk/; revision=48332
    
    Conflicts:
    	epan/dissectors/packet-mpeg-dsmcc.c
    

736eea7 by Evan Huus (eapache@xxxxxxxxx):

    Change some ints to guints (as they already are in trunk) so that
    negative values don't falsely pass the bounds checks and cause a crash.
    
    Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8499
    
    svn path=/trunk-1.8/; revision=48419
    

3b8fdc0 by Anders Broman (anders.broman@xxxxxxxxxxxx):

    Don't access nbap_dch_chnl_info if the index is > maxNrOfDCHs
    
    svn path=/trunk/; revision=49418
    
    Conflicts:
    	epan/dissectors/packet-nbap.c
    

d83ed06 by Chris Maynard (Christopher.Maynard@xxxxxxxxx):

    Don't pass the return value of tvb_length_remaining() to fragment_add_check(), as it might have been -1.
    Fixes Coverity CID 280510: Improper use of negative value.
    
    svn path=/trunk/; revision=43716
    

387cd02 by Bill Meier (wmeier@xxxxxxxxxxx):

    Fix potential buffer overflow crash; (Bug #7880).
    Rework code logic slightly so same code path (and tests)
     used whether or not 'if(tree)'.
    
    svn path=/trunk/; revision=46128
    

f71d962 by Pascal Quantin (pascal.quantin@xxxxxxxxx):

    From Sylvain Munaut via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7664 :
    packet-gmr1_bcch: Add guards in the SI1/2 choice of segment
    
    Although the CSN1 dissector itself will just stop if there is
    no matching segment, it will leave the choice field uninitizalized
    and so when we use it to fill some other text, it crashes ...
    
    To protect against that, we put a last choice entry that will always
    match. As a bonus, it triggers an explicit error in CSN so you
    know something is wrong.
    
    svn path=/trunk/; revision=44674
    

bea81cc by Evan Huus (eapache@xxxxxxxxx):

    Manually backport parts of
    ------------------------------------------------------------------------
    r46158 | wmeier | 2012-11-23 16:11:47 -0500 (Fri, 23 Nov 2012) | 13 lines
    Changed paths:
       M /trunk/epan/dissectors/packet-rdp.c
    
    Improve dissection;
    - Properly handle DataBlocks with optional fields at end;
    - Fix a few field dissections;
    General code cleanup;
    - Remove almost all tests using tvb_length_remaining():
       If there's not enough data available, just let an
       exception be thrown.
    - Fix a memory leak;
    - Simplify code in various places.
    - Add a reference to the (a ?) Microsoft spec for RDP.
    
    Fixes Bug #7862 in a more complete manner than SVN #45566.
    
    ------------------------------------------------------------------------
    
    Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8729
    which is really a tangential duplicate of
    https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7862
    
    svn path=/trunk-1.8/; revision=49679
    

cbd8dbe by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx):

    Fix the infinite recursion problem reported in
    https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8733 :
    
    We can't solely rely on the port in the URI to determine whether we will be
    recursively called by decode_tcp_ports().  Instead also check the conversation
    entry too: if we find that we are the subdissector for this conversation
    (which we might be--without the port being in our list of ports--if we
    heuristically picked up the conversation or the user did Decode-As),
    just bail out and dissect the payload as data.
    
    svn path=/trunk/; revision=49623
    

b1b8c29 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx):

    Fix the wiretap fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8760 :
    
    Check that the record length we got out of the file is at least as big as
    stats block trailer; if not, declare the file bad.
    
    svn path=/trunk/; revision=49739
    

7dda211 by Evan Huus (eapache@xxxxxxxxx):

    From myself and Julian Cable via (and fixing)
    https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8717
    
    Don't add a DCP-ETSI fragment for reassembly if the length is wrong.
    
    svn path=/trunk/; revision=49802
    

dfbe5b9 by Martin Kaiser (wireshark@xxxxxxxxx):

    fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8916
    reported by Laurent Butti
    
    a TPDU's length field must never be 0
    this length field was decremented without prior checking,
    allocating length-1 bytes of memory caused a dissector assert
    
    svn path=/trunk/; revision=50474
    

a6c7a05 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx):

    Copy over with manual intervention:
    
      ------------------------------------------------------------------------
      r50672 | morriss | 2013-07-16 13:59:26 -0400 (Tue, 16 Jul 2013) | 8 lines
      Changed paths:
         M /trunk/epan/dissectors/packet-gsm_a_common.c
    
      Fix the fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8940 :
    
      Test whether idx is in range or not (by seeing if it was found in the
      value_string) before using it as an index into any of the elem_var arrays.
    
      This fuzz failure was in elem_telv() but apply the fix to all the elem_*()
      functions.
      ------------------------------------------------------------------------
    
    svn path=/trunk-1.8/; revision=50675
    

50fac68 by Gerald Combs (gerald@xxxxxxxxxxxxx):

    Copy over r49697 with manual intervention:
    
      ------------------------------------------------------------------------
      r49697 | guy | 2013-06-02 11:09:13 -0700 (Sun, 02 Jun 2013) | 6 lines
      Changed paths:
         M /trunk/wiretap/netmon.c
    
      Initialize the frame_table_size field of the private data to 0 and the
      frame_table field to NULL before trying to allocate the frame table, so
      that if we fail before we allocate the frame table, the attempt to free
      the private data doesn't crash due to the frame_table field containing a
      bogus pointer.
      ------------------------------------------------------------------------
    
    Update the release notes.
    
    svn path=/trunk-1.8/; revision=50684
    
    Conflicts:
    	docbook/release-notes.xml
    

88fffb6 by Evan Huus (eapache@xxxxxxxxx):

    Ensure that the length parameter to dissect_per_length_determinant is
    initialized even in cases where we error or otherwise fail to dissect.
    
    Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8722
    
    Thanks to Pascal for his help digging through this one.
    
    svn path=/trunk/; revision=49985
    

0db1406 by Evan Huus (eapache@xxxxxxxxx):

    From Peter Hatina via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9104
    
    Fix double-free on corrupt netmon file. Wiretap frees the struct for us, we
    don't need to free it as well.
    
    svn path=/trunk-1.8/; revision=51781
    

b0e171f by Gerald Combs (gerald@xxxxxxxxxxxxx):

    Copy over r49673 from the trunk:
    
      ------------------------------------------------------------------------
      r49673 | guy | 2013-05-31 23:48:37 -0700 (Fri, 31 May 2013) | 7 lines
      Changed paths:
         M /trunk/epan/filesystem.c
         M /trunk/wiretap/netmon.c
    
      When allocating the frame table for a NetMon file, use g_try_malloc(),
      and fail with ENOMEM if that fails (and the frame table is not empty -
      g_try_malloc() will return NULL if you ask it to allocate zero bytes).
    
      Have an error message for ENOMEM on an open that attempts to tell the
      user what the problem is without making their head explode.
      ------------------------------------------------------------------------
    
    Update the release notes.
    
    svn path=/trunk-1.8/; revision=51911
    
    Conflicts:
    	docbook/release-notes.xml
    

c480618 by Evan Huus (eapache@xxxxxxxxx):

    Copy over revisions from the trunk:
    
      ------------------------------------------------------------------------
      r51213 | eapache | 2013-08-08 06:50:11 -0400 (Thu, 08 Aug 2013) | 4 lines
    
      Correctly check bounds on dim_max.
    
      Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9019
    
      ------------------------------------------------------------------------
      r51516 | eapache | 2013-08-25 13:31:15 -0400 (Sun, 25 Aug 2013) | 4 lines
    
      Make sure our ldap_call_response_t struct is always completely initialized,
      fixing a "Conditional jump or move depends on uninitialised value" error found
      by valgrind fuzzing.
    
      ------------------------------------------------------------------------
    
    svn path=/trunk-1.8/; revision=51624
    

91ee1b1 by Jeff Morriss (jeff.morriss.ws@xxxxxxxxx):

    Copy over revisions from trunk:
    
      ------------------------------------------------------------------------
      r51195 | martink | 2013-08-07 16:18:11 -0400 (Wed, 07 Aug 2013) | 4 lines
      Changed paths:
         M /trunk/asn1/nbap/nbap.cnf
         M /trunk/epan/dissectors/packet-nbap.c
    
      add a range check for dch_id
    
      this should fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9005
      ------------------------------------------------------------------------
    
    svn path=/trunk-1.8/; revision=51230
    

6922467 by Evan Huus (eapache@xxxxxxxxx):

    _lookup_extended takes a pointer to the key-pointer since it has to set the old
    key pointer value. _insert just takes the key-pointer, not a pointer to it.
    Passing a pointer-to-a-pointer causes the outer pointer to be dereferenced as a
    struct (when it in fact points to a pointer to struct) and leads to incorrect
    behaviour and uninitialized/out-of-bounds memory accesses.
    
    Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9139
    
    svn path=/trunk/; revision=52036
    

b97763c by Gerald Combs (gerald@xxxxxxxxxxxxx):

    Copy over r52154 by hand:
    
      ------------------------------------------------------------------------
      r52154 | etxrab | 2013-09-20 07:19:31 -0700 (Fri, 20 Sep 2013) | 1 line
      Changed paths:
         M /trunk/asn1/nbap/nbap.cnf
         M /trunk/asn1/nbap/packet-nbap-template.c
         M /trunk/epan/dissectors/packet-nbap.c
    
      DCH-ID can be 255
      ------------------------------------------------------------------------
    
    Update the release notes.
    
    svn path=/trunk-1.8/; revision=52958
    

ed95ddc by Pascal Quantin (pascal.quantin@xxxxxxxxx):

    Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9228 :
    Ensure that decompressed tvb exists before trying to add it to the tree
    
    svn path=/trunk/; revision=52354
    

74f74f5 by Gerald Combs (gerald@xxxxxxxxxxxxx):

    Copy over r52570 with manual intervention:
    
      ------------------------------------------------------------------------
      r52570 | cmaynard | 2013-10-12 11:03:34 -0700 (Sat, 12 Oct 2013) | 4 lines
      Changed paths:
         M /trunk/epan/dissectors/packet-tcp.c
    
      Don't assume that tvb_length_remaining() or tvb_reported_length_remaining() always return a value >= 0.  Part of fix for https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9263
    
      #BACKPORT(1.10,1.8)
      ------------------------------------------------------------------------
    
    Update the release notes.
    
    svn path=/trunk-1.8/; revision=52962
    
    Conflicts:
    	docbook/release-notes.xml
    

04a1625 by Gerald Combs (gerald@xxxxxxxxxxxxx):

    Copy over r53626 with manual intervention.
    
      ------------------------------------------------------------------------
      r53626 | rbalint | 2013-11-28 08:39:04 -0800 (Thu, 28 Nov 2013) | 5 lines
      Changed paths:
         M /trunk/epan/dissectors/packet-ntlmssp.c
    
      Support long Domain Names in NTLMSSP v2
    
      ... instead of crashing on them. :-)
    
      Discovered by Garming Sam <garming@xxxxxxxxxxxxxxx>
      ------------------------------------------------------------------------
    
    Update the release notes.
    
    svn path=/trunk-1.8/; revision=54146
    
    Conflicts:
    	docbook/release-notes.asciidoc
    

98299fc by Michael Mann (mmann78@xxxxxxxxxxxx):

    Remove static packet_info *gpinfo and just use the packet_info provided by the function.
    
    svn path=/trunk/; revision=49145
    
    Conflicts:
    	epan/dissectors/packet-bssgp.c
    	epan/dissectors/packet-gsm_a_bssmap.c
    	epan/dissectors/packet-gsm_sms.c
    	epan/dissectors/packet-nas_eps.c
    	epan/dissectors/packet-sgsap.c
    

b490a40 by Evan Huus (eapache@xxxxxxxxx):

    Harden nfs_name_snoop_add_name against various malformed inputs. Thanks to Moshe
    Kaplan for the report.
    
    Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9672 and some
    other cases in the same vein.
    
    svn path=/trunk/; revision=54875
    
    Conflicts:
    	epan/dissectors/packet-nfs.c
    
    Change-Id: I7b64ad4475ef7701dd064cad98d5567ae3847735
    

598c766 by Evan Huus (eapache@xxxxxxxxx):

    Don't mix emem and glib memory and init routines.
    
    The seasonal memory is freed before the init routine is called, leading to a
    whole bunch of use-after-free errors.
    
    Fixes bug #9802 (and duplicates).
    
    This introduces a few minor leaks but I can't find an easy way to add additional
    free calls that doesn't lead to double-free errors.
    
    Change-Id: I1536fcb8e96f5560ad366169e815f62967b3e40d
    Reviewed-on: https://code.wireshark.org/review/407
    Reviewed-by: Evan Huus <eapache@xxxxxxxxx>
    

84faf42 by Gerald Combs (gerald@xxxxxxxxxxxxx):

    Add a check for an oversized record.
    
    For now we declare the file corrupt and give up. We may want to handle
    this more gracefully. Fixes a vulnerability discovered by Wesley Neelen
    (bug 9843).
    
    Remove the RCS ID and add modelines.
    
    Change-Id: I418938d7d6485b27cc51cf1dde50bc42dabf8c85
    Reviewed-on: https://code.wireshark.org/review/533
    Reviewed-by: Gerald Combs <gerald@xxxxxxxxxxxxx>
    (cherry picked from commit 34144b8d4da141e8aa9b99221855edc9f4c73ad8)
    Reviewed-on: https://code.wireshark.org/review/534
    
    Conflicts:
    	wiretap/mpeg.c
    

Actions performed:

    from  db4cb96   Build 1.8.2.
     new  df20c71   Revert r41311, fix bug #7581
     new  7e811ec   Fix bug #7668
     new  73923b4   Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7666 : Check that DRDA command has a minimum length of 10 bytes to prevent a potential infinite loop
     new  5871bf1   From Aditya Ambadkar via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7046 :
     new  672720c   Copy over: Revision 46646 - Clean up white space.
     new  06f95d0   Fix the fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7945 (or at least the complaints from Valgrind; I couldn't reproduce the crash).
     new  abd69c9   Get rid of another tvb_get_ptr() abuse (just like r46577 but in a different function).
     new  53406d7   check the length parameter for tvb_get_unicode_string() and tvb_get_ephemeral_unicode_string(), throw an exception for invalid lengths (including -1, but length==-1 does not work for other tvb string functions either)
     new  b653962   Copy over:Revision 46705, Revision 43266, Revision 43263
     new  a4ad0e3   From Evan: sanity checks before setting a packet's total length in fragment_set_tot_len()
     new  9223033   Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7679: Do not try to set IR header length when the profile is unknown
     new  389c484   Copy over from trunk:
     new  6a70bb1   Copy over r47114 by hand.
     new  94833eb   Take a wild guess at what might be causing https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8197
     new  c3ecbd6   Prevent copying longer than expected NTLM SSP key
     new  c4b00a1   Manually rediscover r43185 to fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8274
     new  3a27124   Backport with non-trivial manual intervention to fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8383
     new  127559e   Backport the workaround with manual intervention: ------------------------------------------------------------------------ r47979 | eapache | 2013-03-01 14:08:30 -0500 (Fri, 01 Mar 2013) | 3 lines
     new  2cfadc0   Fix potential buffer overflow in RTPS and RTPS2 dissectors by allocating enough memory to fit the "indentation space".
     new  a0d6352   From Alyssa Milburn via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8335
     new  db84d90   From Alyssa Milburn: This patch adds a check for a zero count to the existing sanity check code.
     new  42fe08e   Bugfix DoS in CIMD dissector.  Bug 8346 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8346)
     new  586cdd6   Copy over revisions from the trunk:
     new  4d84f28   Manually backport more of r48011.
     new  8d066fa   Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8493 : Use proto_tree_add_item instead of proto_tree_add_bits_item to display Used Cipher
     new  d2384fc   Copy over with manual intervention:
     new  ab4742a   NULL terminate bit field list.  Bug 8638 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8638)
     new  42292ec   dcp-etsi dissector: new formula for rx_min Bug 8231 (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8231)
     new  7a7bc7e   Bump two guint16 to guint32 to prevent overflow when reassembling a large number of fragments, and add an extra bounds check.
     new  afcb065   Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8481
     new  736eea7   Change some ints to guints (as they already are in trunk) so that negative values don't falsely pass the bounds checks and cause a crash.
     new  3b8fdc0   Don't access nbap_dch_chnl_info if the index is > maxNrOfDCHs
     new  d83ed06   Don't pass the return value of tvb_length_remaining() to fragment_add_check(), as it might have been -1. Fixes Coverity CID 280510: Improper use of negative value.
     new  387cd02   Fix potential buffer overflow crash; (Bug #7880). Rework code logic slightly so same code path (and tests)  used whether or not 'if(tree)'.
     new  f71d962   From Sylvain Munaut via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7664 : packet-gmr1_bcch: Add guards in the SI1/2 choice of segment
     new  bea81cc   Manually backport parts of ------------------------------------------------------------------------ r46158 | wmeier | 2012-11-23 16:11:47 -0500 (Fri, 23 Nov 2012) | 13 lines Changed paths:    M /trunk/epan/dissectors/packet-rdp.c
     new  cbd8dbe   Fix the infinite recursion problem reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8733 :
     new  b1b8c29   Fix the wiretap fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8760 :
     new  7dda211   From myself and Julian Cable via (and fixing) https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8717
     new  dfbe5b9   fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8916 reported by Laurent Butti
     new  a6c7a05   Copy over with manual intervention:
     new  50fac68   Copy over r49697 with manual intervention:
     new  88fffb6   Ensure that the length parameter to dissect_per_length_determinant is initialized even in cases where we error or otherwise fail to dissect.
     new  0db1406   From Peter Hatina via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9104
     new  b0e171f   Copy over r49673 from the trunk:
     new  c480618   Copy over revisions from the trunk:
     new  91ee1b1   Copy over revisions from trunk:
     new  6922467   _lookup_extended takes a pointer to the key-pointer since it has to set the old key pointer value. _insert just takes the key-pointer, not a pointer to it. Passing a pointer-to-a-pointer causes the outer pointer to be dereferenced as a struct (when it in fact points to a pointer to struct) and leads to incorrect behaviour and uninitialized/out-of-bounds memory accesses.
     new  b97763c   Copy over r52154 by hand:
     new  ed95ddc   Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9228 : Ensure that decompressed tvb exists before trying to add it to the tree
     new  74f74f5   Copy over r52570 with manual intervention:
     new  04a1625   Copy over r53626 with manual intervention.
     new  98299fc   Remove static packet_info *gpinfo and just use the packet_info provided by the function.
     new  b490a40   Harden nfs_name_snoop_add_name against various malformed inputs. Thanks to Moshe Kaplan for the report.
     new  598c766   Don't mix emem and glib memory and init routines.
     new  84faf42   Add a check for an oversized record.

The 56 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Summary of changes:
 asn1/ldap/packet-ldap-template.c       |    4 +-
 asn1/nbap/nbap.cnf                     |    7 ++-
 asn1/nbap/packet-nbap-template.c       |    2 +-
 epan/dissectors/packet-acn.c           |    4 +-
 epan/dissectors/packet-ber.c           |    7 ++-
 epan/dissectors/packet-bssgp.c         |   64 +++++++++++----------
 epan/dissectors/packet-capwap.c        |    6 +-
 epan/dissectors/packet-cimd.c          |    6 +-
 epan/dissectors/packet-clnp.c          |   39 +++++++------
 epan/dissectors/packet-csn1.c          |   36 ++++++------
 epan/dissectors/packet-csn1.h          |   92 +++++++++++++++---------------
 epan/dissectors/packet-dcp-etsi.c      |   29 ++++++----
 epan/dissectors/packet-drda.c          |    5 ++
 epan/dissectors/packet-dtls.c          |    2 +-
 epan/dissectors/packet-dtn.c           |   25 +++++----
 epan/dissectors/packet-dvbci.c         |   12 ++--
 epan/dissectors/packet-frame.c         |   17 ++++++
 epan/dissectors/packet-gmr1_bcch.c     |    2 +
 epan/dissectors/packet-gsm_a_bssmap.c  |   43 ++++++--------
 epan/dissectors/packet-gsm_a_common.c  |   96 ++++++++++++++++++++++++--------
 epan/dissectors/packet-gsm_bssmap_le.c |   10 ++--
 epan/dissectors/packet-gsm_rlcmac.c    |   12 ++--
 epan/dissectors/packet-gsm_rlcmac.h    |    8 +--
 epan/dissectors/packet-gsm_sms.c       |   57 +++++++++----------
 epan/dissectors/packet-gtpv2.c         |   16 +++---
 epan/dissectors/packet-hsrp.c          |   10 +++-
 epan/dissectors/packet-http.c          |   28 +++++++---
 epan/dissectors/packet-ieee802154.c    |    4 +-
 epan/dissectors/packet-ldap.c          |   12 ++--
 epan/dissectors/packet-ldp.c           |   20 ++++---
 epan/dissectors/packet-mount.c         |    2 +-
 epan/dissectors/packet-mpeg-dsmcc.c    |    2 +-
 epan/dissectors/packet-ms-mms.c        |   26 +++++++--
 epan/dissectors/packet-nas_eps.c       |   39 ++++++-------
 epan/dissectors/packet-nbap.c          |   77 +++++++++++++------------
... 23 lines suppressed ...