pool/wireshark
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6ab2ee3f7c
wireshark/wireshark-1.2.1-CVE-2009-3241.patch

294 lines
12 KiB
Diff
Raw Normal View History

Accepting request 21610 from network:utilities Copy from network:utilities/wireshark based on submit request 21610 from user prusnak OBS-URL: https://build.opensuse.org/request/show/21610 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/wireshark?expand=0&rev=24
2009-10-08 02:50:24 +02:00
Index: plugins/opcua/opcua_simpletypes.c
===================================================================
--- plugins/opcua/opcua_simpletypes.c (revision 29812)
+++ plugins/opcua/opcua_simpletypes.c (revision 29813)
@@ -34,9 +34,6 @@
#include <string.h>
#include <epan/emem.h>
-/* string buffer */
-#define MAX_BUFFER 256
-
#define DIAGNOSTICINFO_ENCODINGMASK_SYMBOLICID_FLAG 0x01
#define DIAGNOSTICINFO_ENCODINGMASK_NAMESPACE_FLAG 0x02
#define DIAGNOSTICINFO_ENCODINGMASK_LOCALIZEDTEXT_FLAG 0x04
@@ -56,6 +53,9 @@
#define EXTOBJ_ENCODINGMASK_BINBODY_FLAG 0x01
#define EXTOBJ_ENCODINGMASK_XMLBODY_FLAG 0x02
+/* Chosen arbitrarily */
+#define MAX_ARRAY_LEN 10000
+
static int hf_opcua_diag_mask_symbolicflag = -1;
static int hf_opcua_diag_mask_namespaceflag = -1;
static int hf_opcua_diag_mask_localizedtextflag = -1;
@@ -338,35 +338,28 @@
void parseString(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex)
{
- char *szValue = ep_alloc(MAX_BUFFER);
+ char *szValue;
gint iOffset = *pOffset;
gint32 iLen = tvb_get_letohl(tvb, *pOffset);
iOffset+=4;
- if (szValue)
+ if (iLen == -1)
{
- if (iLen == -1)
- {
- g_snprintf(szValue, MAX_BUFFER, "[OpcUa Null String]");
- }
- else if (iLen >= 0)
- {
- int iStrLen = iLen;
- if (iStrLen > (MAX_BUFFER-1)) iStrLen = MAX_BUFFER - 1;
- /* copy non null terminated string of length iStrlen */
- strncpy(szValue, (char*)&tvb->real_data[iOffset], iStrLen);
- /* set null terminator */
- szValue[iStrLen] = 0;
- iOffset += iLen; /* eat the whole string */
- }
- else
- {
- g_snprintf(szValue, MAX_BUFFER, "[Invalid String] Ups, something is wrong with this message.");
- }
-
+ proto_tree_add_string(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset),
+ "[OpcUa Null String]");
+ }
+ else if (iLen >= 0)
+ {
+ iOffset += iLen; /* eat the whole string */
+ proto_tree_add_item(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), TRUE);
+ }
+ else
+ {
+ szValue = ep_strdup_printf("[Invalid String] Invalid length: %d", iLen);
proto_tree_add_string(tree, hfIndex, tvb, *pOffset, (iOffset - *pOffset), szValue);
- *pOffset = iOffset;
}
+
+ *pOffset = iOffset;
}
void parseStatusCode(proto_tree *tree, tvbuff_t *tvb, gint *pOffset, int hfIndex)
@@ -644,10 +637,18 @@
proto_tree *subtree = proto_item_add_subtree(ti, ett_opcua_array);
int i;
- for (i=0; i<ArrayLength; i++)
+ if (ArrayLength < MAX_ARRAY_LEN)
{
- parseInt32(subtree, tvb, pOffset, hf_opcua_Int32);
+ for (i=0; i<ArrayLength; i++)
+ {
+ parseInt32(subtree, tvb, pOffset, hf_opcua_Int32);
+ }
}
+ else
+ {
+ /* XXX - This should be expert_add_info_format, but we need pinfo for that */
+ PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, iOffset, 4, "Array length %d too large to process", ArrayLength));
+ }
}
*pOffset = iOffset;
@@ -668,11 +669,17 @@
/* read array length */
iLen = tvb_get_letohl(tvb, *pOffset);
proto_tree_add_item(subtree, hf_opcua_ArraySize, tvb, *pOffset, 4, TRUE);
- *pOffset += 4;
if (iLen == -1) return; /* no array */
if (iLen == 0) return; /* array with zero elements*/
+ if (iLen > MAX_ARRAY_LEN)
+ {
+ PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, *pOffset, 4, "Array length %d too large to process", iLen));
+ return;
+ }
+
+ *pOffset += 4;
for (i=0; i<iLen; i++)
{
(*pParserFunction)(subtree, tvb, pOffset, hfIndex);
@@ -694,11 +701,17 @@
/* read array length */
iLen = tvb_get_letohl(tvb, *pOffset);
proto_tree_add_item(subtree, hf_opcua_ArraySize, tvb, *pOffset, 4, TRUE);
- *pOffset += 4;
if (iLen == -1) return; /* no array */
if (iLen == 0) return; /* array with zero elements*/
+ if (iLen > MAX_ARRAY_LEN)
+ {
+ PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, *pOffset, 4, "Array length %d too large to process", iLen));
+ return;
+ }
+
+ *pOffset += 4;
for (i=0; i<iLen; i++)
{
(*pParserFunction)(subtree, tvb, pOffset);
@@ -719,11 +732,17 @@
/* read array length */
iLen = tvb_get_letohl(tvb, *pOffset);
proto_tree_add_item(subtree, hf_opcua_ArraySize, tvb, *pOffset, 4, TRUE);
- *pOffset += 4;
if (iLen == -1) return; /* no array */
if (iLen == 0) return; /* array with zero elements*/
+ if (iLen > MAX_ARRAY_LEN)
+ {
+ PROTO_ITEM_SET_GENERATED(proto_tree_add_text(tree, tvb, *pOffset, 4, "Array length %d too large to process", iLen));
+ return;
+ }
+
+ *pOffset += 4;
for (i=0; i<iLen; i++)
{
char szNum[20];
Index: plugins/opcua/opcua.c
===================================================================
--- plugins/opcua/opcua.c (revision 29812)
+++ plugins/opcua/opcua.c (revision 29813)
@@ -167,32 +167,32 @@
col_set_str(pinfo->cinfo, COL_PROTOCOL, "OpcUa");
/* parse message type */
- if (tvb->real_data[0] == 'H' && tvb->real_data[1] == 'E' && tvb->real_data[2] == 'L')
+ if (tvb_memeql(tvb, 0, "HEL", 3))
{
msgtype = MSG_HELLO;
pfctParse = parseHello;
}
- else if (tvb->real_data[0] == 'A' && tvb->real_data[1] == 'C' && tvb->real_data[2] == 'K')
+ else if (tvb_memeql(tvb, 0, "ACK", 3))
{
msgtype = MSG_ACKNOWLEDGE;
pfctParse = parseAcknowledge;
}
- else if (tvb->real_data[0] == 'E' && tvb->real_data[1] == 'R' && tvb->real_data[2] == 'R')
+ else if (tvb_memeql(tvb, 0, "ERR", 3))
{
msgtype = MSG_ERROR;
pfctParse = parseError;
}
- else if (tvb->real_data[0] == 'M' && tvb->real_data[1] == 'S' && tvb->real_data[2] == 'G')
+ else if (tvb_memeql(tvb, 0, "MSG", 3))
{
msgtype = MSG_MESSAGE;
pfctParse = parseMessage;
}
- else if (tvb->real_data[0] == 'O' && tvb->real_data[1] == 'P' && tvb->real_data[2] == 'N')
+ else if (tvb_memeql(tvb, 0, "OPN", 3))
{
msgtype = MSG_OPENSECURECHANNEL;
pfctParse = parseOpenSecureChannel;
}
- else if (tvb->real_data[0] == 'C' && tvb->real_data[1] == 'L' && tvb->real_data[2] == 'O')
+ else if (tvb_memeql(tvb, 0, "CLO", 3))
{
msgtype = MSG_CLOSESECURECHANNEL;
pfctParse = parseCloseSecureChannel;
Index: plugins/opcua/opcua_transport_layer.c
===================================================================
--- plugins/opcua/opcua_transport_layer.c (revision 29812)
+++ plugins/opcua/opcua_transport_layer.c (revision 29813)
@@ -126,35 +126,11 @@
proto_register_field_array(proto, hf, array_length(hf));
}
-/** helper functions for adding strings,
- * that are not zero terminated.
- */
-void addString(proto_tree *tree,
- int hfindex,
- tvbuff_t *tvb,
- gint start,
- gint length,
- const char *value)
-{
- char *szValue = ep_alloc(256);
-
- if (szValue)
- {
- if (length > 255) length = 255;
- /* copy non null terminated string data */
- strncpy(szValue, value, length);
- /* set null terminator */
- szValue[length] = 0;
-
- proto_tree_add_string(tree, hfindex, tvb, start, length, szValue);
- }
-}
-
/* Transport Layer: message parsers */
void parseHello(proto_tree *tree, tvbuff_t *tvb, gint *pOffset)
{
- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3;
- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1;
+ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3;
+ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1;
proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4;
proto_tree_add_item(tree, hf_opcua_transport_ver, tvb, *pOffset, 4, TRUE); *pOffset+=4;
proto_tree_add_item(tree, hf_opcua_transport_rbs, tvb, *pOffset, 4, TRUE); *pOffset+=4;
@@ -166,8 +142,8 @@
void parseAcknowledge(proto_tree *tree, tvbuff_t *tvb, gint *pOffset)
{
- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3;
- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1;
+ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3;
+ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1;
proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4;
proto_tree_add_item(tree, hf_opcua_transport_ver, tvb, *pOffset, 4, TRUE); *pOffset+=4;
proto_tree_add_item(tree, hf_opcua_transport_rbs, tvb, *pOffset, 4, TRUE); *pOffset+=4;
@@ -178,8 +154,8 @@
void parseError(proto_tree *tree, tvbuff_t *tvb, gint *pOffset)
{
- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3;
- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1;
+ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3;
+ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1;
proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4;
proto_tree_add_item(tree, hf_opcua_transport_error, tvb, *pOffset, 4, TRUE); *pOffset+=4;
parseString(tree, tvb, pOffset, hf_opcua_transport_reason);
@@ -192,8 +168,8 @@
proto_tree *nodeid_tree;
int ServiceId = 0;
- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3;
- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1;
+ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3;
+ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1;
proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4;
proto_tree_add_item(tree, hf_opcua_transport_scid, tvb, *pOffset, 4, TRUE); *pOffset+=4;
@@ -223,8 +199,8 @@
proto_tree *nodeid_tree;
int ServiceId = 0;
- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3;
- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1;
+ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3;
+ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1;
proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4;
proto_tree_add_item(tree, hf_opcua_transport_scid, tvb, *pOffset, 4, TRUE); *pOffset+=4;
parseString(tree, tvb, pOffset, hf_opcua_transport_spu);
@@ -247,8 +223,8 @@
void parseCloseSecureChannel(proto_tree *tree, tvbuff_t *tvb, gint *pOffset)
{
- addString(tree, hf_opcua_transport_type, tvb, *pOffset, 3, tvb->real_data); *pOffset+=3;
- addString(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, &tvb->real_data[*pOffset]); *pOffset+=1;
+ proto_tree_add_item(tree, hf_opcua_transport_type, tvb, *pOffset, 3, TRUE); *pOffset+=3;
+ proto_tree_add_item(tree, hf_opcua_transport_chunk, tvb, *pOffset, 1, TRUE); *pOffset+=1;
proto_tree_add_item(tree, hf_opcua_transport_size, tvb, *pOffset, 4, TRUE); *pOffset+=4;
proto_tree_add_item(tree, hf_opcua_transport_scid, tvb, *pOffset, 4, TRUE); *pOffset+=4;
}
Reference in New Issue Copy Permalink