Skip to content

Commit 11edc83

Browse files
committed
Don't treat the packet length as unsigned.
The scanf family of functions are as annoyingly bad at handling unsigned numbers as strtoul() is - both of them are perfectly willing to accept a value beginning with a negative sign as an unsigned value. When using strtoul(), you can compensate for this by explicitly checking for a '-' as the first character of the string, but you can't do that with sscanf(). So revert to having pkt_len be signed, and scanning it with %d, but check for a negative value and fail if we see a negative value. Bug: 12396 Change-Id: I54fe8f61f42c32b5ef33da633ece51bbcda8c95f Reviewed-on: https://code.wireshark.org/review/15220 Reviewed-by: Guy Harris <guy@alum.mit.edu>
1 parent 29c78db commit 11edc83

File tree

1 file changed

+8
-3
lines changed

1 file changed

+8
-3
lines changed

Diff for: wiretap/netscreen.c

+8-3
Original file line numberDiff line numberDiff line change
@@ -263,28 +263,33 @@ static gboolean
263263
parse_netscreen_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer* buf,
264264
char *line, int *err, gchar **err_info)
265265
{
266+
int pkt_len;
266267
int sec;
267268
int dsec;
268269
char cap_int[NETSCREEN_MAX_INT_NAME_LENGTH];
269270
char direction[2];
270-
guint pkt_len;
271271
char cap_src[13];
272272
char cap_dst[13];
273273
guint8 *pd;
274274
gchar *p;
275275
int n, i = 0;
276-
guint offset = 0;
276+
int offset = 0;
277277
gchar dststr[13];
278278

279279
phdr->rec_type = REC_TYPE_PACKET;
280280
phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
281281

282-
if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9u:%12s->%12s/",
282+
if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9d:%12s->%12s/",
283283
&sec, &dsec, cap_int, direction, &pkt_len, cap_src, cap_dst) < 5) {
284284
*err = WTAP_ERR_BAD_FILE;
285285
*err_info = g_strdup("netscreen: Can't parse packet-header");
286286
return -1;
287287
}
288+
if (pkt_len < 0) {
289+
*err = WTAP_ERR_BAD_FILE;
290+
*err_info = g_strdup("netscreen: packet header has a negative packet length");
291+
return FALSE;
292+
}
288293
if (pkt_len > WTAP_MAX_PACKET_SIZE) {
289294
/*
290295
* Probably a corrupt capture file; don't blow up trying

0 commit comments

Comments
 (0)