cffa7e37ec
Resolves: #2210867 - NetScaler file parser crash Resolves: #2210869 - RTPS dissector crash
106 lines
5.1 KiB
Diff
106 lines
5.1 KiB
Diff
From 74017383c8c73f25d12ef847c96854641f88fae4 Mon Sep 17 00:00:00 2001
|
|
From: Guy Harris <gharris@sonic.net>
|
|
Date: Fri, 19 May 2023 16:29:45 -0700
|
|
Subject: [PATCH] netscaler: add more checks to make sure the record is within
|
|
the page.
|
|
|
|
Whie we're at it, restructure some other checks to test-before-casting -
|
|
it's OK to test afterwards, but testing before makes it follow the
|
|
pattern used elsewhere.
|
|
|
|
Fixes #19081.
|
|
|
|
|
|
(cherry picked from commit cb190d6839ddcd4596b0205844f45553f1e77105)
|
|
---
|
|
wiretap/netscaler.c | 15 ++++++++++-----
|
|
1 file changed, 10 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c
|
|
index 8dcbd42a089..b94caca0869 100644
|
|
--- a/wiretap/netscaler.c
|
|
+++ b/wiretap/netscaler.c
|
|
@@ -641,6 +641,20 @@ static gboolean nstrace_dump(wtap_dumper *wdh, const wtap_rec *rec,
|
|
#define GET_READ_PAGE_SIZE(remaining_file_size) ((gint32)((remaining_file_size>NSPR_PAGESIZE)?NSPR_PAGESIZE:remaining_file_size))
|
|
#define GET_READ_PAGE_SIZEV3(remaining_file_size) ((gint32)((remaining_file_size>NSPR_PAGESIZE_TRACE)?NSPR_PAGESIZE_TRACE:remaining_file_size))
|
|
|
|
+/*
|
|
+ * Check whether we have enough room to retrieve the data in the caller.
|
|
+ * If not, we have a malformed file.
|
|
+ */
|
|
+static gboolean nstrace_ensure_buflen(nstrace_t* nstrace, guint offset, guint len, int *err, gchar** err_info)
|
|
+{
|
|
+ if (offset > nstrace->nstrace_buflen || nstrace->nstrace_buflen - offset < len) {
|
|
+ *err = WTAP_ERR_BAD_FILE;
|
|
+ *err_info = g_strdup("nstrace: malformed file");
|
|
+ return FALSE;
|
|
+ }
|
|
+ return TRUE;
|
|
+}
|
|
+
|
|
static guint64 ns_hrtime2nsec(guint32 tm)
|
|
{
|
|
guint32 val = tm & NSPR_HRTIME_MASKTM;
|
|
@@ -1114,13 +1114,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int file_version, int *err,
|
|
|
|
#define PACKET_DESCRIBE(rec,FULLPART,fullpart,ver,type,HEADERVER) \
|
|
do {\
|
|
- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
|
|
/* Make sure the record header is entirely contained in the page */\
|
|
- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\
|
|
+ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\
|
|
*err = WTAP_ERR_BAD_FILE;\
|
|
*err_info = g_strdup("nstrace: record header crosses page boundary");\
|
|
return FALSE;\
|
|
}\
|
|
+ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
|
|
/* Check sanity of record size */\
|
|
if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\
|
|
*err = WTAP_ERR_BAD_FILE;\
|
|
@@ -1186,6 +1186,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
|
|
|
|
case NSPR_ABSTIME_V10:
|
|
{
|
|
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
|
|
+ return FALSE;
|
|
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
|
|
if (pletoh16(&fp->nsprRecordSize) == 0) {
|
|
*err = WTAP_ERR_BAD_FILE;
|
|
@@ -1199,6 +1201,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
|
|
|
|
case NSPR_RELTIME_V10:
|
|
{
|
|
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
|
|
+ return FALSE;
|
|
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
|
|
if (pletoh16(&fp->nsprRecordSize) == 0) {
|
|
*err = WTAP_ERR_BAD_FILE;
|
|
@@ -1216,6 +1220,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf,
|
|
|
|
default:
|
|
{
|
|
+ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info))
|
|
+ return FALSE;
|
|
nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset];
|
|
if (pletoh16(&fp->nsprRecordSize) == 0) {
|
|
*err = WTAP_ERR_BAD_FILE;
|
|
@@ -1500,14 +1506,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf,
|
|
|
|
#define PACKET_DESCRIBE(rec,FULLPART,ver,enumprefix,type,structname,HEADERVER)\
|
|
do {\
|
|
- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
|
|
/* Make sure the record header is entirely contained in the page */\
|
|
- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\
|
|
+ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\
|
|
*err = WTAP_ERR_BAD_FILE;\
|
|
*err_info = g_strdup("nstrace: record header crosses page boundary");\
|
|
g_free(nstrace_tmpbuff);\
|
|
return FALSE;\
|
|
}\
|
|
+ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\
|
|
(rec)->rec_type = REC_TYPE_PACKET;\
|
|
TIMEDEFV##ver((rec),fp,type);\
|
|
FULLPART##SIZEDEFV##ver((rec),fp,ver);\
|
|
--
|
|
GitLab
|