Skip to content

Commit 3270dfa

Browse files
committed
Don't treat the packet length as unsigned.
The scanf family of functions are as annoyingly bad at handling unsigned numbers as strtoul() is - both of them are perfectly willing to accept a value beginning with a negative sign as an unsigned value. When using strtoul(), you can compensate for this by explicitly checking for a '-' as the first character of the string, but you can't do that with sscanf(). So revert to having pkt_len be signed, and scanning it with %d, but check for a negative value and fail if we see a negative value. Bug: 12394 Change-Id: I4b19b95f2e1ffc96dac5c91bff6698c246f52007 Reviewed-on: https://code.wireshark.org/review/15230 Reviewed-by: Guy Harris <guy@alum.mit.edu>
1 parent a66628e commit 3270dfa

File tree

1 file changed

+7
-3
lines changed

1 file changed

+7
-3
lines changed

Diff for: wiretap/toshiba.c

+7-3
Original file line numberDiff line numberDiff line change
@@ -248,8 +248,7 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
248248
union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
249249
char line[TOSHIBA_LINE_LENGTH];
250250
int num_items_scanned;
251-
guint pkt_len;
252-
int pktnum, hr, min, sec, csec;
251+
int pkt_len, pktnum, hr, min, sec, csec;
253252
char channel[10], direction[10];
254253
int i, hex_lines;
255254
guint8 *pd;
@@ -301,12 +300,17 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
301300

302301
} while (strcmp(line, "OFFSET 0001-0203") != 0);
303302

304-
num_items_scanned = sscanf(line+64, "LEN=%9u", &pkt_len);
303+
num_items_scanned = sscanf(line+64, "LEN=%9d", &pkt_len);
305304
if (num_items_scanned != 1) {
306305
*err = WTAP_ERR_BAD_FILE;
307306
*err_info = g_strdup("toshiba: OFFSET line doesn't have valid LEN item");
308307
return FALSE;
309308
}
309+
if (pkt_len < 0) {
310+
*err = WTAP_ERR_BAD_FILE;
311+
*err_info = g_strdup("toshiba: packet header has a negative packet length");
312+
return FALSE;
313+
}
310314
if (pkt_len > WTAP_MAX_PACKET_SIZE) {
311315
/*
312316
* Probably a corrupt capture file; don't blow up trying

0 commit comments

Comments
 (0)