[wireshark] fixed buffer overflow in ENTTEC dissector Resolves: #662969

Wed Jan 5 12:04:04 UTC 2011

commit ca6292a2a553aadb55e68ab8f57ddfac51b0e2fc
Author: Jan Safranek <jsafrane at redhat.com>
Date:   Wed Jan 5 13:03:34 2011 +0100

    fixed buffer overflow in ENTTEC dissector
    Resolves: #662969

 wireshark-1.4.2-enttec-overflow.patch |   53 +++++++++++++++++++++++++++++++++
 wireshark.spec                        |    7 ++++-
 2 files changed, 59 insertions(+), 1 deletions(-)
---

diff --git a/wireshark-1.4.2-enttec-overflow.patch b/wireshark-1.4.2-enttec-overflow.patch
new file mode 100644
index 0000000..b37e8f8
--- /dev/null
+++ b/wireshark-1.4.2-enttec-overflow.patch
@@ -0,0 +1,53 @@
+666897 - Wireshark: Array index error in ENTTEC dissector
+
+commit 66966b531c0aff764644989a5bcda2b6ce46b51f
+Author: gerald <gerald at f5534014-38df-0310-8fa8-9805f1628bb7>
+Date:   Fri Dec 31 22:24:06 2010 +0000
+
+    From FRAsse via bug 5539:
+    
+    There's a buffer overflow in ENTTEC DMX Data RLE, leading to crashes and
+    potential code execution.
+    
+    From me: ep_allocate our buffers.
+    
+    
+    git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@35318 f5534014-38df-0310-8fa8-9805f1628bb7
+
+diff --git a/epan/dissectors/packet-enttec.c b/epan/dissectors/packet-enttec.c
+index 6e6cccc..66d3e18 100644
+--- a/epan/dissectors/packet-enttec.c
++++ b/epan/dissectors/packet-enttec.c
+@@ -193,8 +193,8 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree)
+ 		"%3u: %s"
+ 	};
+ 
+-	static guint8 dmx_data[512];
+-	static guint16 dmx_data_offset[513]; /* 1 extra for last offset */
++	guint8 *dmx_data = ep_alloc(512 * sizeof(guint8));
++	guint16 *dmx_data_offset = ep_alloc(513 * sizeof(guint16)); /* 1 extra for last offset */
+ 	emem_strbuf_t *dmx_epstr;
+ 
+ 	proto_tree *hi,*si;
+@@ -225,10 +225,10 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree)
+ 		length = 512;
+ 
+ 	if (type == ENTTEC_DATA_TYPE_RLE) {
+-		/* uncompres the DMX data */
++		/* uncompress the DMX data */
+ 		ui = 0;
+ 		ci = 0;
+-		while (ci < length) {
++		while (ci < length && ui < 512) {
+ 			v = tvb_get_guint8(tvb, offset+ci);
+ 			if (v == 0xFE) {
+ 				ci++;
+@@ -236,7 +236,7 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree)
+ 				ci++;
+ 				v = tvb_get_guint8(tvb, offset+ci);
+ 				ci++;
+-				for (i=0;i < count;i++) {
++				for (i=0;i < count && ui < 512;i++) {
+ 					dmx_data[ui] = v;
+ 					dmx_data_offset[ui] = ci-3;
+ 					ui++;
diff --git a/wireshark.spec b/wireshark.spec
index 90fac05..d60919b 100644
--- a/wireshark.spec
+++ b/wireshark.spec
@@ -11,7 +11,7 @@
 Summary:	Network traffic analyzer
 Name:		wireshark
 Version:	1.4.2
-Release:	4%{?dist}
+Release:	5%{?dist}
 License:	GPL+
 Group:		Applications/Internet
 Source0:	http://wireshark.org/download/src/%{name}-%{version}.tar.bz2
@@ -30,6 +30,7 @@ Patch2:		wireshark-1.2.4-enable_lua.patch
 Patch3:		wireshark-libtool-pie.patch
 Patch4:		wireshark-1.4.0-doc-path.patch
 Patch5:		wireshark-1.4.2-group-msg.patch
+Patch6:		wireshark-1.4.2-enttec-overflow.patch
 
 Url:		http://www.wireshark.org/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -104,6 +105,7 @@ and plugins.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1 -b .group-msg
+%patch6 -p1 -b .enttec-overflow
 
 %build
 %ifarch s390 s390x sparcv9 sparc64
@@ -301,6 +303,9 @@ fi
 %{_sbindir}/idl2wrs
 
 %changelog
+* Wed Jan  5 2011 Jan Safranek <jsafrane at redhat.com> - 1.4.2-5
+- fixed buffer overflow in ENTTEC dissector (#666897)
+
 * Wed Dec 15 2010 Jan Safranek <jsafrane at redhat.com> - 1.4.2-4
 - added epan/dissectors/*.h to -devel subpackage (#662969)
 
