From ca6292a2a553aadb55e68ab8f57ddfac51b0e2fc Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Wed, 5 Jan 2011 13:03:34 +0100 Subject: [PATCH] fixed buffer overflow in ENTTEC dissector Resolves: #662969 --- wireshark-1.4.2-enttec-overflow.patch | 53 +++++++++++++++++++++++++++ wireshark.spec | 7 +++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 wireshark-1.4.2-enttec-overflow.patch diff --git a/wireshark-1.4.2-enttec-overflow.patch b/wireshark-1.4.2-enttec-overflow.patch new file mode 100644 index 0000000..b37e8f8 --- /dev/null +++ b/wireshark-1.4.2-enttec-overflow.patch @@ -0,0 +1,53 @@ +666897 - Wireshark: Array index error in ENTTEC dissector + +commit 66966b531c0aff764644989a5bcda2b6ce46b51f +Author: gerald +Date: Fri Dec 31 22:24:06 2010 +0000 + + From FRAsse via bug 5539: + + There's a buffer overflow in ENTTEC DMX Data RLE, leading to crashes and + potential code execution. + + From me: ep_allocate our buffers. + + + git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@35318 f5534014-38df-0310-8fa8-9805f1628bb7 + +diff --git a/epan/dissectors/packet-enttec.c b/epan/dissectors/packet-enttec.c +index 6e6cccc..66d3e18 100644 +--- a/epan/dissectors/packet-enttec.c ++++ b/epan/dissectors/packet-enttec.c +@@ -193,8 +193,8 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree) + "%3u: %s" + }; + +- static guint8 dmx_data[512]; +- static guint16 dmx_data_offset[513]; /* 1 extra for last offset */ ++ guint8 *dmx_data = ep_alloc(512 * sizeof(guint8)); ++ guint16 *dmx_data_offset = ep_alloc(513 * sizeof(guint16)); /* 1 extra for last offset */ + emem_strbuf_t *dmx_epstr; + + proto_tree *hi,*si; +@@ -225,10 +225,10 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree) + length = 512; + + if (type == ENTTEC_DATA_TYPE_RLE) { +- /* uncompres the DMX data */ ++ /* uncompress the DMX data */ + ui = 0; + ci = 0; +- while (ci < length) { ++ while (ci < length && ui < 512) { + v = tvb_get_guint8(tvb, offset+ci); + if (v == 0xFE) { + ci++; +@@ -236,7 +236,7 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree) + ci++; + v = tvb_get_guint8(tvb, offset+ci); + ci++; +- for (i=0;i < count;i++) { ++ for (i=0;i < count && ui < 512;i++) { + dmx_data[ui] = v; + dmx_data_offset[ui] = ci-3; + ui++; diff --git a/wireshark.spec b/wireshark.spec index 90fac05..d60919b 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -11,7 +11,7 @@ Summary: Network traffic analyzer Name: wireshark Version: 1.4.2 -Release: 4%{?dist} +Release: 5%{?dist} License: GPL+ Group: Applications/Internet Source0: http://wireshark.org/download/src/%{name}-%{version}.tar.bz2 @@ -30,6 +30,7 @@ Patch2: wireshark-1.2.4-enable_lua.patch Patch3: wireshark-libtool-pie.patch Patch4: wireshark-1.4.0-doc-path.patch Patch5: wireshark-1.4.2-group-msg.patch +Patch6: wireshark-1.4.2-enttec-overflow.patch Url: http://www.wireshark.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -104,6 +105,7 @@ and plugins. %patch3 -p1 %patch4 -p1 %patch5 -p1 -b .group-msg +%patch6 -p1 -b .enttec-overflow %build %ifarch s390 s390x sparcv9 sparc64 @@ -301,6 +303,9 @@ fi %{_sbindir}/idl2wrs %changelog +* Wed Jan 5 2011 Jan Safranek - 1.4.2-5 +- fixed buffer overflow in ENTTEC dissector (#666897) + * Wed Dec 15 2010 Jan Safranek - 1.4.2-4 - added epan/dissectors/*.h to -devel subpackage (#662969)