Skip to content

Commit 5efb452

Browse files
committed
Fix packet length handling.
Treat the packet length as unsigned - it shouldn't be negative in the file. If it is, that'll probably cause the sscanf to fail, so we'll report the file as bad. Check it against WTAP_MAX_PACKET_SIZE to make sure we don't try to allocate a huge amount of memory, just as we do in other file readers. Use the now-validated packet size as the length in ws_buffer_assure_space(), so we are certain to have enough space, and don't allocate too much space. Bug: 12394 Change-Id: Ifa023ce70f7a2697bf151009b035a6e6cf8d5d90 Reviewed-on: https://code.wireshark.org/review/15169 Reviewed-by: Guy Harris <guy@alum.mit.edu>
1 parent e61ed67 commit 5efb452

File tree

1 file changed

+14
-8
lines changed

1 file changed

+14
-8
lines changed

Diff for: wiretap/toshiba.c

+14-8
Original file line numberDiff line numberDiff line change
@@ -98,11 +98,6 @@ static const char toshiba_hdr_magic[] =
9898
static const char toshiba_rec_magic[] = { '[', 'N', 'o', '.' };
9999
#define TOSHIBA_REC_MAGIC_SIZE (sizeof toshiba_rec_magic / sizeof toshiba_rec_magic[0])
100100

101-
/*
102-
* XXX - is this the biggest packet we can get?
103-
*/
104-
#define TOSHIBA_MAX_PACKET_LEN 16384
105-
106101
static gboolean toshiba_read(wtap *wth, int *err, gchar **err_info,
107102
gint64 *data_offset);
108103
static gboolean toshiba_seek_read(wtap *wth, gint64 seek_off,
@@ -253,7 +248,8 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
253248
union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
254249
char line[TOSHIBA_LINE_LENGTH];
255250
int num_items_scanned;
256-
int pkt_len, pktnum, hr, min, sec, csec;
251+
guint pkt_len;
252+
int pktnum, hr, min, sec, csec;
257253
char channel[10], direction[10];
258254
int i, hex_lines;
259255
guint8 *pd;
@@ -305,12 +301,22 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
305301

306302
} while (strcmp(line, "OFFSET 0001-0203") != 0);
307303

308-
num_items_scanned = sscanf(line+64, "LEN=%9d", &pkt_len);
304+
num_items_scanned = sscanf(line+64, "LEN=%9u", &pkt_len);
309305
if (num_items_scanned != 1) {
310306
*err = WTAP_ERR_BAD_FILE;
311307
*err_info = g_strdup("toshiba: OFFSET line doesn't have valid LEN item");
312308
return FALSE;
313309
}
310+
if (pkt_len > WTAP_MAX_PACKET_SIZE) {
311+
/*
312+
* Probably a corrupt capture file; don't blow up trying
313+
* to allocate space for an immensely-large packet.
314+
*/
315+
*err = WTAP_ERR_BAD_FILE;
316+
*err_info = g_strdup_printf("toshiba: File has %u-byte packet, bigger than maximum of %u",
317+
pkt_len, WTAP_MAX_PACKET_SIZE);
318+
return FALSE;
319+
}
314320

315321
phdr->rec_type = REC_TYPE_PACKET;
316322
phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
@@ -341,7 +347,7 @@ parse_toshiba_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
341347
}
342348

343349
/* Make sure we have enough room for the packet */
344-
ws_buffer_assure_space(buf, TOSHIBA_MAX_PACKET_LEN);
350+
ws_buffer_assure_space(buf, pkt_len);
345351
pd = ws_buffer_start_ptr(buf);
346352

347353
/* Calculate the number of hex dump lines, each

0 commit comments

Comments
 (0)