From 37dcfdf79e1ac6dcacd565894cd7717aa0224164 Mon Sep 17 00:00:00 2001 From: NickSampanis Date: Fri, 17 Oct 2014 19:24:49 +0300 Subject: [PATCH] Fix gg dissector arbitary length heap overflow --- src/dissectors/ec_gg.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/dissectors/ec_gg.c b/src/dissectors/ec_gg.c index 6f8260dbd..96658943b 100644 --- a/src/dissectors/ec_gg.c +++ b/src/dissectors/ec_gg.c @@ -358,6 +358,8 @@ FUNC_DECODER(dissector_gg) if ((gg->type == GG_LOGIN50_CMD) && !FROM_SERVER("gg", PACKET)) { gg_get_status(gg_login50->status,tbuf); gg_get_version(gg_login50->version,tbuf3); + if ((int)gg->len-22 < 0) + return NULL; strncpy(tbuf2,gg_login50->description, (gg->len)-22); tbuf2[(gg->len)-22]='\0'; sprintf(user,"%u",gg_login50->uin); @@ -378,6 +380,8 @@ if ((gg->type == GG_LOGIN50_CMD) && !FROM_SERVER("gg", PACKET)) { else if (gg->type == GG_LOGIN60_CMD) { gg_get_status(gg_login60->status,tbuf); gg_get_version(gg_login60->version,tbuf3); + if ((int)gg->len-31 < 0) + return NULL; strncpy(tbuf2,gg_login60->description, (gg->len)-31); tbuf2[(gg->len)-31]='\0'; sprintf(user,"%u",gg_login60->uin); @@ -400,6 +404,8 @@ else if (gg->type == GG_LOGIN60_CMD) { else if (gg->type == GG_LOGIN70_CMD) { gg_get_status(gg_login70->status,tbuf); gg_get_version(gg_login70->version,tbuf3); + if ((int)gg->len-92 < 0) + return NULL; strncpy(tbuf2,gg_login70->description, (gg->len)-92); tbuf2[(gg->len)-92]='\0'; sprintf(user,"%u",gg_login70->uin); @@ -447,6 +453,8 @@ else if (gg->type == GG_WELCOME_CMD) { #ifdef GG_CONTACTS_STATUS_CHANGES else if ((gg->type == GG_STATUS_CMD) && FROM_SERVER("gg", PACKET)) { gg_get_status(gg_status->status,tbuf); + if ((int)gg->len-8 < 0) + return NULL; strncpy(tbuf2,gg_status->description, (gg->len)-8); tbuf2[(gg->len)-8]='\0'; DISSECT_MSG("GG : %s:%d -> %s:%d - STATUS CHANGED UIN: %u STATUS: %s (%s)\n", ip_addr_ntoa(&PACKET->L3.src, tmp), @@ -459,6 +467,8 @@ else if ((gg->type == GG_STATUS_CMD) && FROM_SERVER("gg", PACKET)) { #endif else if ((gg->type == GG_NEW_STATUS_CMD) && !FROM_SERVER("gg", PACKET)) { gg_get_status(gg_new_status->status,tbuf); + if ((int)gg->len-4 < 0) + return NULL; strncpy(tbuf2,gg_new_status->description, (gg->len)-4); tbuf2[(gg->len)-4]='\0'; DISSECT_MSG("GG : %s:%d -> %s:%d - NEW STATUS STATUS: %s (%s)\n", ip_addr_ntoa(&PACKET->L3.src, tmp), @@ -471,6 +481,8 @@ else if ((gg->type == GG_NEW_STATUS_CMD) && !FROM_SERVER("gg", PACKET)) { else if ((gg->type == GG_STATUS50_CMD) && FROM_SERVER("gg", PACKET)) { gg_get_status(gg_status50->status,tbuf); gg_get_version(gg_status50->version,tbuf3); + if ((int)gg->len-20 < 0) + return NULL; strncpy(tbuf2,gg_status50->description, (gg->len)-20); tbuf2[(gg->len)-20]='\0'; DISSECT_MSG("GG4/5 : %s:%d -> %s:%d - STATUS CHANGED UIN: %u STATUS: %s (%s) VERSION: %s RIP: %u.%u.%u.%u:%u\n", ip_addr_ntoa(&PACKET->L3.src, tmp), @@ -486,6 +498,8 @@ else if ((gg->type == GG_STATUS50_CMD) && FROM_SERVER("gg", PACKET)) { else if (gg->type == GG_STATUS60_CMD) { gg_get_status(gg_status60->status,tbuf); gg_get_version(gg_status60->version,tbuf3); + if ((int)gg->len-14 < 0) + return NULL; strncpy(tbuf2,gg_status60->description, (gg->len)-14); tbuf2[(gg->len)-14]='\0'; DISSECT_MSG("GG6 : %s:%d -> %s:%d - STATUS CHANGED UIN: %u STATUS: %s (%s) VERSION: %s RIP: %u.%u.%u.%u:%u\n", ip_addr_ntoa(&PACKET->L3.src, tmp), @@ -500,6 +514,8 @@ else if (gg->type == GG_STATUS60_CMD) { } else if (gg->type == GG_STATUS70_CMD) { gg_get_status(gg_status70->status,tbuf); + if ((int)gg->len-18 < 0) + return NULL; gg_get_version(gg_status70->version,tbuf3); strncpy(tbuf2,gg_status70->description, (gg->len)-18); tbuf2[(gg->len)-18]='\0';