[wireshark/f13/master] fixed buffer overflow in ENTTEC dissector Resolves: #662969

Jan Šafránek jsafrane at fedoraproject.org
Wed Jan 5 12:16:07 UTC 2011


commit 5b2ac4489660824db79a1139542a2b23dd67bd52
Author: Jan Safranek <jsafrane at redhat.com>
Date:   Wed Jan 5 13:15:53 2011 +0100

    fixed buffer overflow in ENTTEC dissector
    Resolves: #662969

 wireshark-1.4.2-enttec-overflow.patch |   53 +++++++++++++++++++++++++++++++++
 wireshark.spec                        |    9 ++++-
 2 files changed, 60 insertions(+), 2 deletions(-)
---
diff --git a/wireshark-1.4.2-enttec-overflow.patch b/wireshark-1.4.2-enttec-overflow.patch
new file mode 100644
index 0000000..b37e8f8
--- /dev/null
+++ b/wireshark-1.4.2-enttec-overflow.patch
@@ -0,0 +1,53 @@
+666897 - Wireshark: Array index error in ENTTEC dissector
+
+commit 66966b531c0aff764644989a5bcda2b6ce46b51f
+Author: gerald <gerald at f5534014-38df-0310-8fa8-9805f1628bb7>
+Date:   Fri Dec 31 22:24:06 2010 +0000
+
+    From FRAsse via bug 5539:
+    
+    There's a buffer overflow in ENTTEC DMX Data RLE, leading to crashes and
+    potential code execution.
+    
+    From me: ep_allocate our buffers.
+    
+    
+    git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@35318 f5534014-38df-0310-8fa8-9805f1628bb7
+
+diff --git a/epan/dissectors/packet-enttec.c b/epan/dissectors/packet-enttec.c
+index 6e6cccc..66d3e18 100644
+--- a/epan/dissectors/packet-enttec.c
++++ b/epan/dissectors/packet-enttec.c
+@@ -193,8 +193,8 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree)
+ 		"%3u: %s"
+ 	};
+ 
+-	static guint8 dmx_data[512];
+-	static guint16 dmx_data_offset[513]; /* 1 extra for last offset */
++	guint8 *dmx_data = ep_alloc(512 * sizeof(guint8));
++	guint16 *dmx_data_offset = ep_alloc(513 * sizeof(guint16)); /* 1 extra for last offset */
+ 	emem_strbuf_t *dmx_epstr;
+ 
+ 	proto_tree *hi,*si;
+@@ -225,10 +225,10 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree)
+ 		length = 512;
+ 
+ 	if (type == ENTTEC_DATA_TYPE_RLE) {
+-		/* uncompres the DMX data */
++		/* uncompress the DMX data */
+ 		ui = 0;
+ 		ci = 0;
+-		while (ci < length) {
++		while (ci < length && ui < 512) {
+ 			v = tvb_get_guint8(tvb, offset+ci);
+ 			if (v == 0xFE) {
+ 				ci++;
+@@ -236,7 +236,7 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree)
+ 				ci++;
+ 				v = tvb_get_guint8(tvb, offset+ci);
+ 				ci++;
+-				for (i=0;i < count;i++) {
++				for (i=0;i < count && ui < 512;i++) {
+ 					dmx_data[ui] = v;
+ 					dmx_data_offset[ui] = ci-3;
+ 					ui++;
diff --git a/wireshark.spec b/wireshark.spec
index aa6c9fc..0eda2fb 100644
--- a/wireshark.spec
+++ b/wireshark.spec
@@ -16,7 +16,7 @@ Version:	1.2.13
 %if %{svn_version}
 Release: 	0.%{svn_version}%{?dist}
 %else
-Release: 	1%{?dist}
+Release: 	2%{?dist}
 %endif
 License: 	GPL+
 Group: 		Applications/Internet
@@ -38,6 +38,7 @@ Patch7:		wireshark-1.2.8-disable_warning_dialog.patch
 Patch8:		wireshark-1.2.6-nfs40-backchnl-decode.patch
 Patch9:		wireshark-1.2.6-smb-find-full-dir-info.patch
 Patch10:	wireshark-libtool-pie.patch
+Patch11:	wireshark-1.4.2-enttec-overflow.patch
 
 Url: 		http://www.wireshark.org/
 BuildRoot: 	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -125,6 +126,7 @@ and plugins.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1 -b .enttec-overflow
 
 %build
 %ifarch s390 s390x sparcv9 sparc64
@@ -324,7 +326,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_sbindir}/idl2wrs
 
 %changelog
-* Mon Nov 22 2010 Jan Safranek <jsafrane at redhat.com>
+* Wed Jan  5 2011 Jan Safranek <jsafrane at redhat.com> - 1.2.13-2
+- fixed buffer overflow in ENTTEC dissector (#666897)
+
+* Mon Nov 22 2010 Jan Safranek <jsafrane at redhat.com> - 1.2.13-1
 - upgrade to 1.2.13
 - see http://www.wireshark.org/docs/relnotes/wireshark-1.2.13.html
 


More information about the scm-commits mailing list