Fix gg dissector arbitary length heap overflow

NickSampanis · Oct 17, 2014 · 37dcfdf · 37dcfdf
1 parent 535f984
commit 37dcfdf
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/src/dissectors/ec_gg.c b/src/dissectors/ec_gg.c
@@ -358,6 +358,8 @@ FUNC_DECODER(dissector_gg)
 if ((gg->type == GG_LOGIN50_CMD) && !FROM_SERVER("gg", PACKET)) {
    gg_get_status(gg_login50->status,tbuf);
    gg_get_version(gg_login50->version,tbuf3);
+   if ((int)gg->len-22 < 0)
+       return NULL;
    strncpy(tbuf2,gg_login50->description, (gg->len)-22);
    tbuf2[(gg->len)-22]='\0';
    sprintf(user,"%u",gg_login50->uin);
@@ -378,6 +380,8 @@ if ((gg->type == GG_LOGIN50_CMD) && !FROM_SERVER("gg", PACKET)) {
 else if (gg->type == GG_LOGIN60_CMD) {
    gg_get_status(gg_login60->status,tbuf);
    gg_get_version(gg_login60->version,tbuf3);
+   if ((int)gg->len-31 < 0)
+       return NULL;
    strncpy(tbuf2,gg_login60->description, (gg->len)-31);
    tbuf2[(gg->len)-31]='\0';
    sprintf(user,"%u",gg_login60->uin);
@@ -400,6 +404,8 @@ else if (gg->type == GG_LOGIN60_CMD) {
 else if (gg->type == GG_LOGIN70_CMD) {
    gg_get_status(gg_login70->status,tbuf);
    gg_get_version(gg_login70->version,tbuf3);
+   if ((int)gg->len-92 < 0)
+       return NULL;
    strncpy(tbuf2,gg_login70->description, (gg->len)-92);
    tbuf2[(gg->len)-92]='\0';
    sprintf(user,"%u",gg_login70->uin);
@@ -447,6 +453,8 @@ else if (gg->type == GG_WELCOME_CMD) {
 #ifdef GG_CONTACTS_STATUS_CHANGES
 else if ((gg->type == GG_STATUS_CMD) && FROM_SERVER("gg", PACKET)) {
     gg_get_status(gg_status->status,tbuf);
+    if ((int)gg->len-8 < 0)
+        return NULL;
     strncpy(tbuf2,gg_status->description, (gg->len)-8);
     tbuf2[(gg->len)-8]='\0';
     DISSECT_MSG("GG : %s:%d -> %s:%d - STATUS CHANGED  UIN: %u  STATUS: %s (%s)\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
@@ -459,6 +467,8 @@ else if ((gg->type == GG_STATUS_CMD) && FROM_SERVER("gg", PACKET)) {
 #endif
 else if ((gg->type == GG_NEW_STATUS_CMD) && !FROM_SERVER("gg", PACKET)) {
       gg_get_status(gg_new_status->status,tbuf);
+      if ((int)gg->len-4 < 0)
+          return NULL;
       strncpy(tbuf2,gg_new_status->description, (gg->len)-4);
       tbuf2[(gg->len)-4]='\0';
       DISSECT_MSG("GG : %s:%d -> %s:%d - NEW STATUS  STATUS: %s (%s)\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
@@ -471,6 +481,8 @@ else if ((gg->type == GG_NEW_STATUS_CMD) && !FROM_SERVER("gg", PACKET)) {
 else if ((gg->type == GG_STATUS50_CMD) && FROM_SERVER("gg", PACKET)) {
       gg_get_status(gg_status50->status,tbuf);
       gg_get_version(gg_status50->version,tbuf3);
+      if ((int)gg->len-20 < 0)
+          return NULL;
       strncpy(tbuf2,gg_status50->description, (gg->len)-20);
       tbuf2[(gg->len)-20]='\0';
       DISSECT_MSG("GG4/5 : %s:%d -> %s:%d - STATUS CHANGED  UIN: %u  STATUS: %s (%s)  VERSION: %s  RIP: %u.%u.%u.%u:%u\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
@@ -486,6 +498,8 @@ else if ((gg->type == GG_STATUS50_CMD) && FROM_SERVER("gg", PACKET)) {
 else if (gg->type == GG_STATUS60_CMD) {
       gg_get_status(gg_status60->status,tbuf);
       gg_get_version(gg_status60->version,tbuf3);
+      if ((int)gg->len-14 < 0)
+          return NULL;
       strncpy(tbuf2,gg_status60->description, (gg->len)-14);
       tbuf2[(gg->len)-14]='\0';
       DISSECT_MSG("GG6 : %s:%d -> %s:%d - STATUS CHANGED  UIN: %u  STATUS: %s (%s)  VERSION: %s  RIP: %u.%u.%u.%u:%u\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
@@ -500,6 +514,8 @@ else if (gg->type == GG_STATUS60_CMD) {
 }
 else if (gg->type == GG_STATUS70_CMD) {
       gg_get_status(gg_status70->status,tbuf);
+      if ((int)gg->len-18 < 0)
+          return NULL;
       gg_get_version(gg_status70->version,tbuf3);
       strncpy(tbuf2,gg_status70->description, (gg->len)-18);
       tbuf2[(gg->len)-18]='\0';