Skip to content

Commit 87d6bef

Browse files
mcrguyharris
authored andcommitted
do sanity checks on PHB header length before allocating memory. There was no fault; but doing the check results in a more consistent error
1 parent 449d952 commit 87d6bef

File tree

1 file changed

+10
-16
lines changed

1 file changed

+10
-16
lines changed

Diff for: sf-pcapng.c

+10-16
Original file line numberDiff line numberDiff line change
@@ -85,7 +85,7 @@ struct option_header {
8585
* Section Header Block.
8686
*/
8787
#define BT_SHB 0x0A0D0D0A
88-
88+
#define BT_SHB_INSANE_MAX 1024*1024*1 /* 1MB should be enough */
8989
struct section_header_block {
9090
bpf_u_int32 byte_order_magic;
9191
u_short major_version;
@@ -266,7 +266,7 @@ read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
266266
if (amt_read == 0 && !fail_on_eof)
267267
return (0); /* EOF */
268268
pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
269-
"truncated dump file; tried to read %" PRIsize " bytes, only got %" PRIsize,
269+
"truncated pcapng dump file; tried to read %" PRIsize " bytes, only got %" PRIsize,
270270
bytes_to_read, amt_read);
271271
}
272272
return (-1);
@@ -856,26 +856,20 @@ pcap_ng_check_header(const uint8_t *magic, FILE *fp, u_int precision,
856856
/*
857857
* Check the sanity of the total length.
858858
*/
859-
if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
859+
if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) ||
860+
(total_length > BT_SHB_INSANE_MAX)) {
860861
pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
861-
"Section Header Block in pcapng dump file has a length of %u < %" PRIsize,
862-
total_length,
863-
sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer));
864-
*err = 1;
865-
return (NULL);
866-
}
862+
"Section Header Block in pcapng dump file has invalid length %" PRIsize " < _%lu_ < %lu (BT_SHB_INSANE_MAX)",
863+
sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer),
864+
total_length,
865+
BT_SHB_INSANE_MAX);
867866

868-
/*
869-
* Make sure it's not too big.
870-
*/
871-
if (total_length > INITIAL_MAX_BLOCKSIZE) {
872-
pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
873-
"pcapng block size %u > maximum %u",
874-
total_length, INITIAL_MAX_BLOCKSIZE);
875867
*err = 1;
876868
return (NULL);
877869
}
878870

871+
872+
879873
/*
880874
* OK, this is a good pcapng file.
881875
* Allocate a pcap_t for it.

0 commit comments

Comments
 (0)