Skip to content

Commit a66628e

Browse files
committed
Don't treat the packet length as unsigned.
The scanf family of functions are as annoyingly bad at handling unsigned numbers as strtoul() is - both of them are perfectly willing to accept a value beginning with a negative sign as an unsigned value. When using strtoul(), you can compensate for this by explicitly checking for a '-' as the first character of the string, but you can't do that with sscanf(). So revert to having pkt_len be signed, and scanning it with %d, but check for a negative value and fail if we see a negative value. Bug: 12395 Change-Id: I43b458a73b0934e9a5c2c89d34eac5a8f21a7455 Reviewed-on: https://code.wireshark.org/review/15223 Reviewed-by: Guy Harris <guy@alum.mit.edu>
1 parent 85d57b5 commit a66628e

File tree

1 file changed

+8
-4
lines changed

1 file changed

+8
-4
lines changed

Diff for: wiretap/cosine.c

+8-4
Original file line numberDiff line numberDiff line change
@@ -330,8 +330,7 @@ parse_cosine_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
330330
{
331331
union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
332332
int num_items_scanned;
333-
int yy, mm, dd, hr, min, sec, csec;
334-
guint pkt_len;
333+
int yy, mm, dd, hr, min, sec, csec, pkt_len;
335334
int pro, off, pri, rm, error;
336335
guint code1, code2;
337336
char if_name[COSINE_MAX_IF_NAME_LEN] = "", direction[6] = "";
@@ -343,7 +342,7 @@ parse_cosine_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
343342
&yy, &mm, &dd, &hr, &min, &sec, &csec) == 7) {
344343
/* appears to be output to a control blade */
345344
num_items_scanned = sscanf(line,
346-
"%4d-%2d-%2d,%2d:%2d:%2d.%9d: %5s (%127[A-Za-z0-9/:]), Length:%9u, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
345+
"%4d-%2d-%2d,%2d:%2d:%2d.%9d: %5s (%127[A-Za-z0-9/:]), Length:%9d, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
347346
&yy, &mm, &dd, &hr, &min, &sec, &csec,
348347
direction, if_name, &pkt_len,
349348
&pro, &off, &pri, &rm, &error,
@@ -357,7 +356,7 @@ parse_cosine_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
357356
} else {
358357
/* appears to be output to PE */
359358
num_items_scanned = sscanf(line,
360-
"%5s (%127[A-Za-z0-9/:]), Length:%9u, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
359+
"%5s (%127[A-Za-z0-9/:]), Length:%9d, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
361360
direction, if_name, &pkt_len,
362361
&pro, &off, &pri, &rm, &error,
363362
&code1, &code2);
@@ -369,6 +368,11 @@ parse_cosine_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
369368
}
370369
yy = mm = dd = hr = min = sec = csec = 0;
371370
}
371+
if (pkt_len < 0) {
372+
*err = WTAP_ERR_BAD_FILE;
373+
*err_info = g_strdup("cosine: packet header has a negative packet length");
374+
return FALSE;
375+
}
372376
if (pkt_len > WTAP_MAX_PACKET_SIZE) {
373377
/*
374378
* Probably a corrupt capture file; don't blow up trying

0 commit comments

Comments
 (0)