1
diff --git a/epan/ftypes/ftype-tvbuff.c b/epan/ftypes/ftype-tvbuff.c
2
index 8494d3d..a69da90 100644
3
--- a/epan/ftypes/ftype-tvbuff.c
4
+++ b/epan/ftypes/ftype-tvbuff.c
5
@@ -189,18 +189,18 @@ value_get(fvalue_t *fv)
13
- return tvb_length(fv->value.tvb);
17
+ length = tvb_length(fv->value.tvb);
29
@@ -226,22 +226,20 @@ cmp_eq(fvalue_t *fv_a, fvalue_t *fv_b)
31
tvbuff_t *a = fv_a->value.tvb;
32
tvbuff_t *b = fv_b->value.tvb;
33
+ gboolean eq = FALSE;
36
guint a_len = tvb_length(a);
38
- if (a_len != tvb_length(b)) {
40
+ if (a_len == tvb_length(b))
41
+ eq = (memcmp(tvb_get_ptr(a, 0, a_len), tvb_get_ptr(b, 0, a_len), a_len) == 0);
44
- return (memcmp(tvb_get_ptr(a, 0, a_len), tvb_get_ptr(b, 0, a_len), a_len) == 0);
56
@@ -249,22 +247,21 @@ cmp_ne(fvalue_t *fv_a, fvalue_t *fv_b)
58
tvbuff_t *a = fv_a->value.tvb;
59
tvbuff_t *b = fv_b->value.tvb;
63
guint a_len = tvb_length(a);
65
- if (a_len != tvb_length(b)) {
67
+ if (a_len == tvb_length(b)) {
68
+ ne = (memcmp(tvb_get_ptr(a, 0, a_len), tvb_get_ptr(b, 0, a_len), a_len) != 0);
72
- return (memcmp(tvb_get_ptr(a, 0, a_len), tvb_get_ptr(b, 0, a_len), a_len) != 0);
84
@@ -272,27 +269,24 @@ cmp_gt(fvalue_t *fv_a, fvalue_t *fv_b)
86
tvbuff_t *a = fv_a->value.tvb;
87
tvbuff_t *b = fv_b->value.tvb;
88
+ gboolean gt = FALSE;
91
guint a_len = tvb_length(a);
92
guint b_len = tvb_length(b);
97
+ } else if (a_len == b_len) {
98
+ gt = (memcmp(tvb_get_ptr(a, 0, a_len), tvb_get_ptr(b, 0, a_len), a_len) > 0);
101
- if (a_len < b_len) {
105
- return (memcmp(tvb_get_ptr(a, 0, a_len), tvb_get_ptr(b, 0, a_len), a_len) > 0);
117
@@ -300,27 +294,24 @@ cmp_ge(fvalue_t *fv_a, fvalue_t *fv_b)
119
tvbuff_t *a = fv_a->value.tvb;
120
tvbuff_t *b = fv_b->value.tvb;
121
+ gboolean ge = FALSE;
124
guint a_len = tvb_length(a);
125
guint b_len = tvb_length(b);
130
+ } else if (a_len == b_len) {
131
+ ge = (memcmp(tvb_get_ptr(a, 0, a_len), tvb_get_ptr(b, 0, a_len), a_len) >= 0);
134
- if (a_len < b_len) {
138
- return (memcmp(tvb_get_ptr(a, 0, a_len), tvb_get_ptr(b, 0, a_len), a_len) >= 0);
150
@@ -328,27 +319,24 @@ cmp_lt(fvalue_t *fv_a, fvalue_t *fv_b)
152
tvbuff_t *a = fv_a->value.tvb;
153
tvbuff_t *b = fv_b->value.tvb;
154
+ gboolean lt = FALSE;
157
guint a_len = tvb_length(a);
158
guint b_len = tvb_length(b);
163
+ } else if (a_len == b_len) {
164
+ lt = (memcmp(tvb_get_ptr(a, 0, a_len), tvb_get_ptr(b, 0, a_len), a_len) < 0);
167
- if (a_len > b_len) {
171
- return (memcmp(tvb_get_ptr(a, 0, a_len), tvb_get_ptr(b, 0, a_len), a_len) < 0);
183
@@ -356,46 +344,42 @@ cmp_le(fvalue_t *fv_a, fvalue_t *fv_b)
185
tvbuff_t *a = fv_a->value.tvb;
186
tvbuff_t *b = fv_b->value.tvb;
187
+ gboolean le = FALSE;
190
guint a_len = tvb_length(a);
191
guint b_len = tvb_length(b);
196
+ } else if (a_len == b_len) {
197
+ le = (memcmp(tvb_get_ptr(a, 0, a_len), tvb_get_ptr(b, 0, a_len), a_len) <= 0);
200
- if (a_len > b_len) {
204
- return (memcmp(tvb_get_ptr(a, 0, a_len), tvb_get_ptr(b, 0, a_len), a_len) <= 0);
216
cmp_contains(fvalue_t *fv_a, fvalue_t *fv_b)
218
+ gboolean contains = FALSE;
221
if (tvb_find_tvb(fv_a->value.tvb, fv_b->value.tvb, 0) > -1) {
239
diff --git a/epan/packet.c b/epan/packet.c
240
index 72ca341..b4e5bd9 100644
243
@@ -352,7 +352,31 @@ dissect_packet(epan_dissect_t *edt, union wtap_pseudo_header *pseudo_header,
244
EP_CHECK_CANARY(("before dissecting frame %d",fd->num));
247
- edt->tvb = tvb_new_real_data(pd, fd->cap_len, fd->pkt_len);
249
+ * XXX - currently, the length arguments to
250
+ * tvb_new_real_data() are signed, but the captured
251
+ * and reported length values are unsigned; this means
252
+ * that length values > 2^31 - 1 will appear as
253
+ * negative lengths in tvb_new_real_data().
255
+ * Captured length values that large will already
256
+ * have been filtered out by the Wiretap modules
257
+ * (the file will be reported as corrupted), to
258
+ * avoid trying to allocate large chunks of data.
260
+ * Reported length values will not have been
261
+ * filtered out, and should not be filtered out,
262
+ * as those lengths are not necessarily invalid.
264
+ * For now, we clip the reported length at G_MAXINT,
265
+ * so that tvb_new_real_data() doesn't fail. It
266
+ * would throw an exception, which we'd catch, but
267
+ * that would mean we would have no tvbuffs
268
+ * associated with edt, which would upset much of
269
+ * the rest of the application.
271
+ edt->tvb = tvb_new_real_data(pd, fd->cap_len,
272
+ fd->pkt_len > G_MAXINT ? G_MAXINT : fd->pkt_len);
273
/* Add this tvbuffer into the data_src list */
274
packet_add_new_data_source(&edt->pi, edt->tree, edt->tvb, "Frame");
276
diff --git a/epan/to_str.c b/epan/to_str.c
277
index f92afe5..13b305b 100644
287
* If a user _does_ pass in a too-small buffer, this is probably
288
@@ -96,6 +97,9 @@ bytestring_to_str(const guint8 *ad, guint32 len, char punct) {
289
static const gchar hex_digits[16] =
290
{ '0', '1', '2', '3', '4', '5', '6', '7',
291
'8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
293
+ REPORT_DISSECTOR_BUG("Null pointer passed to bytestring_to_str()");
298
diff --git a/wiretap/5views.c b/wiretap/5views.c
299
index f1fb49b..57a1a9a 100644
300
--- a/wiretap/5views.c
301
+++ b/wiretap/5views.c
302
@@ -240,6 +240,16 @@ _5views_read(wtap *wth, int *err, gchar **err_info _U_, gint64 *data_offset)
304
packet_size = TimeStamped_Header.RecSize;
305
orig_size = TimeStamped_Header.RecSize;
306
+ if (packet_size > WTAP_MAX_PACKET_SIZE) {
308
+ * Probably a corrupt capture file; don't blow up trying
309
+ * to allocate space for an immensely-large packet.
311
+ *err = WTAP_ERR_BAD_RECORD;
312
+ *err_info = g_strdup_printf("5views: File has %u-byte packet, bigger than maximum of %u",
313
+ packet_size, WTAP_MAX_PACKET_SIZE);
317
*data_offset = wth->data_offset;
319
diff --git a/wiretap/airopeek9.c b/wiretap/airopeek9.c
320
index 2f7eeb3..6db9ab0 100644
321
--- a/wiretap/airopeek9.c
322
+++ b/wiretap/airopeek9.c
323
@@ -497,10 +497,23 @@ static gboolean airopeekv9_read(wtap *wth, int *err, gchar **err_info,
325
wth->data_offset += hdrlen;
327
- /* force sliceLength to be the actual length of the packet */
329
+ * If sliceLength is 0, force it to be the actual length of the packet.
331
if (hdr_info.sliceLength == 0)
332
hdr_info.sliceLength = hdr_info.length;
334
+ if (hdr_info.sliceLength > WTAP_MAX_PACKET_SIZE) {
336
+ * Probably a corrupt capture file; don't blow up trying
337
+ * to allocate space for an immensely-large packet.
339
+ *err = WTAP_ERR_BAD_RECORD;
340
+ *err_info = g_strdup_printf("airopeek9: File has %u-byte packet, bigger than maximum of %u",
341
+ hdr_info.sliceLength, WTAP_MAX_PACKET_SIZE);
345
/* fill in packet header length values before slicelength may be
347
wth->phdr.len = hdr_info.length;
348
diff --git a/wiretap/i4btrace.c b/wiretap/i4btrace.c
349
index dceeb03..0a22296 100644
350
--- a/wiretap/i4btrace.c
351
+++ b/wiretap/i4btrace.c
352
@@ -139,6 +139,16 @@ static gboolean i4btrace_read(wtap *wth, int *err, gchar **err_info,
355
length = hdr.length - (guint32)sizeof(hdr);
356
+ if (length > WTAP_MAX_PACKET_SIZE) {
358
+ * Probably a corrupt capture file; don't blow up trying
359
+ * to allocate space for an immensely-large packet.
361
+ *err = WTAP_ERR_BAD_RECORD;
362
+ *err_info = g_strdup_printf("i4btrace: File has %u-byte packet, bigger than maximum of %u",
363
+ length, WTAP_MAX_PACKET_SIZE);
367
wth->phdr.len = length;
368
wth->phdr.caplen = length;
369
diff --git a/wiretap/iptrace.c b/wiretap/iptrace.c
370
index adc69ad..afc79fd 100644
371
--- a/wiretap/iptrace.c
372
+++ b/wiretap/iptrace.c
373
@@ -152,7 +152,18 @@ static gboolean iptrace_read_1_0(wtap *wth, int *err, gchar **err_info _U_,
374
wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
376
/* Read the packet data */
377
- packet_size = pntohl(&header[0]) - IPTRACE_1_0_PDATA_SIZE;
378
+ packet_size = pntohl(&header[0]);
379
+ if (packet_size < IPTRACE_1_0_PDATA_SIZE) {
381
+ * Uh-oh, the record isn't big enough to even have a
382
+ * packet meta-data header.
384
+ *err = WTAP_ERR_BAD_RECORD;
385
+ *err_info = g_strdup_printf("iptrace: file has a %u-byte record, too small to have even a packet meta-data header",
389
+ packet_size -= IPTRACE_1_0_PDATA_SIZE;
392
* AIX appears to put 3 bytes of padding in front of FDDI
393
@@ -163,6 +174,16 @@ static gboolean iptrace_read_1_0(wtap *wth, int *err, gchar **err_info _U_,
394
* The packet size is really a record size and includes
397
+ if (packet_size < 3) {
399
+ * Uh-oh, the record isn't big enough to even have
402
+ *err = WTAP_ERR_BAD_RECORD;
403
+ *err_info = g_strdup_printf("iptrace: file has a %u-byte record, too small to have even a packet meta-data header",
404
+ packet_size + IPTRACE_1_0_PDATA_SIZE);
408
wth->data_offset += 3;
410
@@ -172,6 +193,16 @@ static gboolean iptrace_read_1_0(wtap *wth, int *err, gchar **err_info _U_,
411
if (!iptrace_read_rec_data(wth->fh, fddi_padding, 3, err))
412
return FALSE; /* Read error */
414
+ if (packet_size > WTAP_MAX_PACKET_SIZE) {
416
+ * Probably a corrupt capture file; don't blow up trying
417
+ * to allocate space for an immensely-large packet.
419
+ *err = WTAP_ERR_BAD_RECORD;
420
+ *err_info = g_strdup_printf("iptrace: File has %u-byte packet, bigger than maximum of %u",
421
+ packet_size, WTAP_MAX_PACKET_SIZE);
425
buffer_assure_space( wth->frame_buffer, packet_size );
426
data_ptr = buffer_start_ptr( wth->frame_buffer );
427
@@ -331,7 +362,18 @@ static gboolean iptrace_read_2_0(wtap *wth, int *err, gchar **err_info _U_,
428
wth->phdr.pkt_encap = wtap_encap_ift(pkt_hdr.if_type);
430
/* Read the packet data */
431
- packet_size = pntohl(&header[0]) - IPTRACE_2_0_PDATA_SIZE;
432
+ packet_size = pntohl(&header[0]);
433
+ if (packet_size < IPTRACE_2_0_PDATA_SIZE) {
435
+ * Uh-oh, the record isn't big enough to even have a
436
+ * packet meta-data header.
438
+ *err = WTAP_ERR_BAD_RECORD;
439
+ *err_info = g_strdup_printf("iptrace: file has a %u-byte record, too small to have even a packet meta-data header",
443
+ packet_size -= IPTRACE_2_0_PDATA_SIZE;
446
* AIX appears to put 3 bytes of padding in front of FDDI
447
@@ -342,6 +384,16 @@ static gboolean iptrace_read_2_0(wtap *wth, int *err, gchar **err_info _U_,
448
* The packet size is really a record size and includes
451
+ if (packet_size < 3) {
453
+ * Uh-oh, the record isn't big enough to even have
456
+ *err = WTAP_ERR_BAD_RECORD;
457
+ *err_info = g_strdup_printf("iptrace: file has a %u-byte record, too small to have even a packet meta-data header",
458
+ packet_size + IPTRACE_2_0_PDATA_SIZE);
462
wth->data_offset += 3;
464
@@ -351,6 +403,16 @@ static gboolean iptrace_read_2_0(wtap *wth, int *err, gchar **err_info _U_,
465
if (!iptrace_read_rec_data(wth->fh, fddi_padding, 3, err))
466
return FALSE; /* Read error */
468
+ if (packet_size > WTAP_MAX_PACKET_SIZE) {
470
+ * Probably a corrupt capture file; don't blow up trying
471
+ * to allocate space for an immensely-large packet.
473
+ *err = WTAP_ERR_BAD_RECORD;
474
+ *err_info = g_strdup_printf("iptrace: File has %u-byte packet, bigger than maximum of %u",
475
+ packet_size, WTAP_MAX_PACKET_SIZE);
479
buffer_assure_space( wth->frame_buffer, packet_size );
480
data_ptr = buffer_start_ptr( wth->frame_buffer );
481
diff --git a/wiretap/lanalyzer.c b/wiretap/lanalyzer.c
482
index 6cca77d..cb60a61 100644
483
--- a/wiretap/lanalyzer.c
484
+++ b/wiretap/lanalyzer.c
485
@@ -319,6 +319,16 @@ static gboolean lanalyzer_read(wtap *wth, int *err, gchar **err_info,
489
+ if (record_length < DESCRIPTOR_LEN) {
491
+ * Uh-oh, the record isn't big enough to even have a
494
+ *err = WTAP_ERR_BAD_RECORD;
495
+ *err_info = g_strdup_printf("lanalyzer: file has a %u-byte record, too small to have even a packet descriptor",
499
packet_size = record_length - DESCRIPTOR_LEN;
502
diff --git a/wiretap/netmon.c b/wiretap/netmon.c
503
index 90921d5..c82ff9f 100644
504
--- a/wiretap/netmon.c
505
+++ b/wiretap/netmon.c
506
@@ -271,6 +271,26 @@ int netmon_open(wtap *wth, int *err, gchar **err_info)
507
g_free(wth->capture.netmon);
511
+ * XXX - clamp the size of the frame table, so that we don't
512
+ * attempt to allocate a huge frame table and fail.
514
+ * Given that file offsets in the frame table are 32-bit,
515
+ * a NetMon file cannot be bigger than 2^32 bytes.
516
+ * Given that a NetMon 1.x-format packet header is 8 bytes,
517
+ * that means a NetMon file cannot have more than
518
+ * 512*2^20 packets. We'll pick that as the limit for
519
+ * now; it's 1/8th of a 32-bit address space, which is
520
+ * probably not going to exhaust the address space all by
521
+ * itself, and probably won't exhaust the backing store.
523
+ if (frame_table_size > 512*1024*1024) {
524
+ *err = WTAP_ERR_UNSUPPORTED;
525
+ *err_info = g_strdup_printf("netmon: frame table length is %u, which is larger than we support",
526
+ frame_table_length);
527
+ g_free(wth->capture.netmon);
530
if (file_seek(wth->fh, frame_table_offset, SEEK_SET, err) == -1) {
531
g_free(wth->capture.netmon);
533
diff --git a/wiretap/nettl.c b/wiretap/nettl.c
534
index 5e2dbec..da8ca72 100644
535
--- a/wiretap/nettl.c
536
+++ b/wiretap/nettl.c
537
@@ -306,6 +306,17 @@ static gboolean nettl_read(wtap *wth, int *err, gchar **err_info,
539
wth->data_offset += ret;
541
+ if (wth->phdr.caplen > WTAP_MAX_PACKET_SIZE) {
543
+ * Probably a corrupt capture file; don't blow up trying
544
+ * to allocate space for an immensely-large packet.
546
+ *err = WTAP_ERR_BAD_RECORD;
547
+ *err_info = g_strdup_printf("nettl: File has %u-byte packet, bigger than maximum of %u",
548
+ wth->phdr.caplen, WTAP_MAX_PACKET_SIZE);
553
* If the per-file encapsulation isn't known, set it to this
554
* packet's encapsulation.
555
diff --git a/wiretap/packetlogger.c b/wiretap/packetlogger.c
556
index e993564..fdc8cce 100644
557
--- a/wiretap/packetlogger.c
558
+++ b/wiretap/packetlogger.c
559
@@ -106,6 +106,16 @@ packetlogger_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset)
560
*err = WTAP_ERR_BAD_RECORD;
563
+ if (pl_hdr.len - 8 > WTAP_MAX_PACKET_SIZE) {
565
+ * Probably a corrupt capture file; don't blow up trying
566
+ * to allocate space for an immensely-large packet.
568
+ *err = WTAP_ERR_BAD_RECORD;
569
+ *err_info = g_strdup_printf("packetlogger: File has %u-byte packet, bigger than maximum of %u",
570
+ pl_hdr.len - 8, WTAP_MAX_PACKET_SIZE);
574
buffer_assure_space(wth->frame_buffer, pl_hdr.len - 8);
575
bytes_read = file_read(buffer_start_ptr(wth->frame_buffer), 1,