Wireshark-commits: [Wireshark-commits] master f6ef53e: csn1: Validate recursive array max size duri
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Wed, 25 Mar 2020 16:51:43 +0000
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f6ef53e3ed87cb83144e2e7270f38a459d459711
Submitter: "Pascal Quantin <pascal@xxxxxxxxxxxxx>"
Changed: branch: master
Repository: wireshark

Commits:

f6ef53e by Pau Espin Pedrol (pespin@xxxxxxxxxxx):

    csn1: Validate recursive array max size during decoding
    
    This way if CSN1 encoded bitstream contains more elements than what the
    defintion expects it will fail instead of overflowing the decoded
    buffer.
    
    Example: RA Capabilities struct (recursive array) sent by a real android phone
    when attaching to the network. Then SGSN sends it back and osmo-pcu would crash
    similar to this:
    *** stack smashing detected ***: terminated
     Process terminating with default action of signal 6 (SIGABRT): dumping core
    at 0x4C62CE5: raise (in /usr/lib/libc-2.31.so)
    by 0x4C4C856: abort (in /usr/lib/libc-2.31.so)
    by 0x4CA62AF: __libc_message (in /usr/lib/libc-2.31.so)
    by 0x4D36069: __fortify_fail (in /usr/lib/libc-2.31.so)
    by 0x4D36033: __stack_chk_fail (in /usr/lib/libc-2.31.so)
    by 0x124706: testRAcap2(void*) (RLCMACTest.cpp:468)
    
    Port from osmo-pcu.git efad80bfbffb2a35d2516e56dc40979f19c6c370
    Related: https://osmocom.org/issues/4463
    
    Change-Id: I6bdd6960141829491aebbfdaab548c41d4a3bc9f
    Reviewed-on: https://code.wireshark.org/review/36572
    Reviewed-by: Harald Welte <laforge@xxxxxxxxxxxx>
    Petri-Dish: Pascal Quantin <pascal@xxxxxxxxxxxxx>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Pascal Quantin <pascal@xxxxxxxxxxxxx>
    

Actions performed:

    from  7b8ea03   lltd: fix typo found by lintian (Phyiscal => Physical)
     add  f6ef53e   csn1: Validate recursive array max size during decoding


Summary of changes:
 epan/dissectors/packet-csn1.c | 18 ++++++++++++++++--
 epan/dissectors/packet-csn1.h |  6 +++---
 2 files changed, 19 insertions(+), 5 deletions(-)