Do bounds checking on references to the bids array.

Addresses GitHub issue #484.
the-tcpdump-group · Apr 26, 2018 · 9bac75a · 9bac75a
1 parent 711c82a
commit 9bac75a
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 6 deletions.
diff --git a/Makefile.in b/Makefile.in
@@ -133,6 +133,7 @@ HDR = $(PUBHDR) \
 	llc.h \
 	nametoaddr.h \
 	nlpid.h \
+	optimize.h \
 	pcap-common.h \
 	pcap-int.h \
 	pcap-rpcap.h \

diff --git a/bpf_dump.c b/bpf_dump.c
@@ -26,6 +26,8 @@
 #include <pcap.h>
 #include <stdio.h>
 
+#include "optimize.h"
+
 void
 bpf_dump(const struct bpf_program *p, int option)
 {
@@ -50,8 +52,7 @@ bpf_dump(const struct bpf_program *p, int option)
 	}
 	for (i = 0; i < n; ++insn, ++i) {
 #ifdef BDEBUG
-		extern int bids[];
-		if (bids[i] > 0)
+		if (i < NBIDS && bids[i] > 0)
 			printf("[%02d]", bids[i] - 1);
 		else
 			printf(" -- ");

diff --git a/optimize.c b/optimize.c
@@ -37,6 +37,7 @@
 #include "pcap-int.h"
 
 #include "gencode.h"
+#include "optimize.h"
 
 #ifdef HAVE_OS_PROTO_H
 #include "os-proto.h"
@@ -2062,7 +2063,7 @@ opt_init(compiler_state_t *cstate, opt_state_t *opt_state, struct icode *ic)
  * and expect it to provide meaningful information.
  */
 #ifdef BDEBUG
-int bids[1000];
+int bids[NBIDS];
 #endif
 
 /*
@@ -2190,7 +2191,8 @@ convert_code_r(compiler_state_t *cstate, conv_state_t *conv_state,
 		free(offset);
 
 #ifdef BDEBUG
-	bids[dst - conv_state->fstart] = p->id + 1;
+	if (dst - conv_state->fstart < NBIDS)
+		bids[dst - conv_state->fstart] = p->id + 1;
 #endif
 	dst->code = (u_short)p->s.code;
 	dst->k = p->s.k;

diff --git a/optimize.h b/optimize.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+/*
+ * Some stuff for use when debugging the optimizer.
+ */
+#ifdef BDEBUG
+extern int pcap_optimizer_debug;	/* optimizer debugging level */
+
+#define NBIDS	1000
+extern int bids[NBIDS];
+#endif
diff --git a/pcap.c b/pcap.c
@@ -78,6 +78,8 @@ struct rtentry;		/* declarations in <net/if.h> */
 
 #include "pcap-int.h"
 
+#include "optimize.h"
+
 #ifdef HAVE_DAG_API
 #include "pcap-dag.h"
 #endif /* HAVE_DAG_API */
@@ -3928,8 +3930,6 @@ PCAP_API void pcap_set_optimizer_debug(int value);
 PCAP_API_DEF void
 pcap_set_optimizer_debug(int value)
 {
-	extern int pcap_optimizer_debug;
-
 	pcap_optimizer_debug = value;
 }
 #endif