Skip to content

Commit f5ec0af

Browse files
committed
Fix packet length handling.
Treat the packet length as unsigned - it shouldn't be negative in the file. If it is, that'll probably cause the sscanf to fail, so we'll report the file as bad. Check it against WTAP_MAX_PACKET_SIZE to make sure we don't try to allocate a huge amount of memory, just as we do in other file readers. Use the now-validated packet size as the length in ws_buffer_assure_space(), so we are certain to have enough space, and don't allocate too much space. Merge the header and packet data parsing routines while we're at it. Bug: 12395 Change-Id: Ia70f33b71ff28451190fcf144c333fd1362646b2 Reviewed-on: https://code.wireshark.org/review/15172 Reviewed-by: Guy Harris <guy@alum.mit.edu>
1 parent 69714b7 commit f5ec0af

File tree

1 file changed

+29
-46
lines changed

1 file changed

+29
-46
lines changed

Diff for: wiretap/cosine.c

+29-46
Original file line numberDiff line numberDiff line change
@@ -157,8 +157,6 @@
157157
#define COSINE_HEADER_LINES_TO_CHECK 200
158158
#define COSINE_LINE_LENGTH 240
159159

160-
#define COSINE_MAX_PACKET_LEN 65536
161-
162160
static gboolean empty_line(const gchar *line);
163161
static gint64 cosine_seek_next_packet(wtap *wth, int *err, gchar **err_info,
164162
char *hdr);
@@ -167,10 +165,8 @@ static gboolean cosine_read(wtap *wth, int *err, gchar **err_info,
167165
gint64 *data_offset);
168166
static gboolean cosine_seek_read(wtap *wth, gint64 seek_off,
169167
struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info);
170-
static int parse_cosine_rec_hdr(struct wtap_pkthdr *phdr, const char *line,
171-
int *err, gchar **err_info);
172-
static gboolean parse_cosine_hex_dump(FILE_T fh, struct wtap_pkthdr *phdr,
173-
int pkt_len, Buffer* buf, int *err, gchar **err_info);
168+
static int parse_cosine_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer* buf,
169+
char *line, int *err, gchar **err_info);
174170
static int parse_single_hex_dump_line(char* rec, guint8 *buf,
175171
guint byte_offset);
176172

@@ -287,7 +283,6 @@ static gboolean cosine_read(wtap *wth, int *err, gchar **err_info,
287283
gint64 *data_offset)
288284
{
289285
gint64 offset;
290-
int pkt_len;
291286
char line[COSINE_LINE_LENGTH];
292287

293288
/* Find the next packet */
@@ -296,22 +291,16 @@ static gboolean cosine_read(wtap *wth, int *err, gchar **err_info,
296291
return FALSE;
297292
*data_offset = offset;
298293

299-
/* Parse the header */
300-
pkt_len = parse_cosine_rec_hdr(&wth->phdr, line, err, err_info);
301-
if (pkt_len == -1)
302-
return FALSE;
303-
304-
/* Convert the ASCII hex dump to binary data */
305-
return parse_cosine_hex_dump(wth->fh, &wth->phdr, pkt_len,
306-
wth->frame_buffer, err, err_info);
294+
/* Parse the header and convert the ASCII hex dump to binary data */
295+
return parse_cosine_packet(wth->fh, &wth->phdr, wth->frame_buffer,
296+
line, err, err_info);
307297
}
308298

309299
/* Used to read packets in random-access fashion */
310300
static gboolean
311301
cosine_seek_read(wtap *wth, gint64 seek_off, struct wtap_pkthdr *phdr,
312302
Buffer *buf, int *err, gchar **err_info)
313303
{
314-
int pkt_len;
315304
char line[COSINE_LINE_LENGTH];
316305

317306
if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
@@ -325,13 +314,8 @@ cosine_seek_read(wtap *wth, gint64 seek_off, struct wtap_pkthdr *phdr,
325314
return FALSE;
326315
}
327316

328-
/* Parse the header */
329-
pkt_len = parse_cosine_rec_hdr(phdr, line, err, err_info);
330-
if (pkt_len == -1)
331-
return FALSE;
332-
333-
/* Convert the ASCII hex dump to binary data */
334-
return parse_cosine_hex_dump(wth->random_fh, phdr, pkt_len, buf, err,
317+
/* Parse the header and convert the ASCII hex dump to binary data */
318+
return parse_cosine_packet(wth->random_fh, phdr, buf, line, err,
335319
err_info);
336320
}
337321

@@ -340,23 +324,26 @@ cosine_seek_read(wtap *wth, gint64 seek_off, struct wtap_pkthdr *phdr,
340324
2002-5-10,20:1:31.4: l2-tx (FR:3/7/1:1), Length:18, Pro:0, Off:0, Pri:0, RM:0, Err:0 [0x4000, 0x0]
341325
2) output to PE without date and time
342326
l2-tx (FR:3/7/1:1), Length:18, Pro:0, Off:0, Pri:0, RM:0, Err:0 [0x4000, 0x0] */
343-
static int
344-
parse_cosine_rec_hdr(struct wtap_pkthdr *phdr, const char *line,
345-
int *err, gchar **err_info)
327+
static gboolean
328+
parse_cosine_packet(FILE_T fh, struct wtap_pkthdr *phdr, Buffer *buf,
329+
char *line, int *err, gchar **err_info)
346330
{
347331
union wtap_pseudo_header *pseudo_header = &phdr->pseudo_header;
348332
int num_items_scanned;
349-
int yy, mm, dd, hr, min, sec, csec, pkt_len;
333+
int yy, mm, dd, hr, min, sec, csec;
334+
guint pkt_len;
350335
int pro, off, pri, rm, error;
351336
guint code1, code2;
352337
char if_name[COSINE_MAX_IF_NAME_LEN] = "", direction[6] = "";
353338
struct tm tm;
339+
guint8 *pd;
340+
int i, hex_lines, n, caplen = 0;
354341

355342
if (sscanf(line, "%4d-%2d-%2d,%2d:%2d:%2d.%9d:",
356343
&yy, &mm, &dd, &hr, &min, &sec, &csec) == 7) {
357344
/* appears to be output to a control blade */
358345
num_items_scanned = sscanf(line,
359-
"%4d-%2d-%2d,%2d:%2d:%2d.%9d: %5s (%127[A-Za-z0-9/:]), Length:%9d, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
346+
"%4d-%2d-%2d,%2d:%2d:%2d.%9d: %5s (%127[A-Za-z0-9/:]), Length:%9u, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
360347
&yy, &mm, &dd, &hr, &min, &sec, &csec,
361348
direction, if_name, &pkt_len,
362349
&pro, &off, &pri, &rm, &error,
@@ -365,23 +352,33 @@ parse_cosine_rec_hdr(struct wtap_pkthdr *phdr, const char *line,
365352
if (num_items_scanned != 17) {
366353
*err = WTAP_ERR_BAD_FILE;
367354
*err_info = g_strdup("cosine: purported control blade line doesn't have code values");
368-
return -1;
355+
return FALSE;
369356
}
370357
} else {
371358
/* appears to be output to PE */
372359
num_items_scanned = sscanf(line,
373-
"%5s (%127[A-Za-z0-9/:]), Length:%9d, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
360+
"%5s (%127[A-Za-z0-9/:]), Length:%9u, Pro:%9d, Off:%9d, Pri:%9d, RM:%9d, Err:%9d [%8x, %8x]",
374361
direction, if_name, &pkt_len,
375362
&pro, &off, &pri, &rm, &error,
376363
&code1, &code2);
377364

378365
if (num_items_scanned != 10) {
379366
*err = WTAP_ERR_BAD_FILE;
380367
*err_info = g_strdup("cosine: header line is neither control blade nor PE output");
381-
return -1;
368+
return FALSE;
382369
}
383370
yy = mm = dd = hr = min = sec = csec = 0;
384371
}
372+
if (pkt_len > WTAP_MAX_PACKET_SIZE) {
373+
/*
374+
* Probably a corrupt capture file; don't blow up trying
375+
* to allocate space for an immensely-large packet.
376+
*/
377+
*err = WTAP_ERR_BAD_FILE;
378+
*err_info = g_strdup_printf("cosine: File has %u-byte packet, bigger than maximum of %u",
379+
pkt_len, WTAP_MAX_PACKET_SIZE);
380+
return FALSE;
381+
}
385382

386383
phdr->rec_type = REC_TYPE_PACKET;
387384
phdr->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
@@ -430,21 +427,8 @@ parse_cosine_rec_hdr(struct wtap_pkthdr *phdr, const char *line,
430427
pseudo_header->cosine.rm = rm;
431428
pseudo_header->cosine.err = error;
432429

433-
return pkt_len;
434-
}
435-
436-
/* Converts ASCII hex dump to binary data. Returns TRUE on success,
437-
FALSE if any error is encountered. */
438-
static gboolean
439-
parse_cosine_hex_dump(FILE_T fh, struct wtap_pkthdr *phdr, int pkt_len,
440-
Buffer* buf, int *err, gchar **err_info)
441-
{
442-
guint8 *pd;
443-
gchar line[COSINE_LINE_LENGTH];
444-
int i, hex_lines, n, caplen = 0;
445-
446430
/* Make sure we have enough room for the packet */
447-
ws_buffer_assure_space(buf, COSINE_MAX_PACKET_LEN);
431+
ws_buffer_assure_space(buf, pkt_len);
448432
pd = ws_buffer_start_ptr(buf);
449433

450434
/* Calculate the number of hex dump lines, each
@@ -473,7 +457,6 @@ parse_cosine_hex_dump(FILE_T fh, struct wtap_pkthdr *phdr, int pkt_len,
473457
return TRUE;
474458
}
475459

476-
477460
/* Take a string representing one line from a hex dump and converts
478461
* the text to binary data. We place the bytes in the buffer at the
479462
* specified offset.

0 commit comments

Comments
 (0)