[wireshark/f13/master] fixed buffer overflow in ENTTEC dissector Resolves: #662969
Jan Šafránek
jsafrane at fedoraproject.org
Wed Jan 5 12:16:07 UTC 2011
commit 5b2ac4489660824db79a1139542a2b23dd67bd52
Author: Jan Safranek <jsafrane at redhat.com>
Date: Wed Jan 5 13:15:53 2011 +0100
fixed buffer overflow in ENTTEC dissector
Resolves: #662969
wireshark-1.4.2-enttec-overflow.patch | 53 +++++++++++++++++++++++++++++++++
wireshark.spec | 9 ++++-
2 files changed, 60 insertions(+), 2 deletions(-)
---
diff --git a/wireshark-1.4.2-enttec-overflow.patch b/wireshark-1.4.2-enttec-overflow.patch
new file mode 100644
index 0000000..b37e8f8
--- /dev/null
+++ b/wireshark-1.4.2-enttec-overflow.patch
@@ -0,0 +1,53 @@
+666897 - Wireshark: Array index error in ENTTEC dissector
+
+commit 66966b531c0aff764644989a5bcda2b6ce46b51f
+Author: gerald <gerald at f5534014-38df-0310-8fa8-9805f1628bb7>
+Date: Fri Dec 31 22:24:06 2010 +0000
+
+ From FRAsse via bug 5539:
+
+ There's a buffer overflow in ENTTEC DMX Data RLE, leading to crashes and
+ potential code execution.
+
+ From me: ep_allocate our buffers.
+
+
+ git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@35318 f5534014-38df-0310-8fa8-9805f1628bb7
+
+diff --git a/epan/dissectors/packet-enttec.c b/epan/dissectors/packet-enttec.c
+index 6e6cccc..66d3e18 100644
+--- a/epan/dissectors/packet-enttec.c
++++ b/epan/dissectors/packet-enttec.c
+@@ -193,8 +193,8 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree)
+ "%3u: %s"
+ };
+
+- static guint8 dmx_data[512];
+- static guint16 dmx_data_offset[513]; /* 1 extra for last offset */
++ guint8 *dmx_data = ep_alloc(512 * sizeof(guint8));
++ guint16 *dmx_data_offset = ep_alloc(513 * sizeof(guint16)); /* 1 extra for last offset */
+ emem_strbuf_t *dmx_epstr;
+
+ proto_tree *hi,*si;
+@@ -225,10 +225,10 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree)
+ length = 512;
+
+ if (type == ENTTEC_DATA_TYPE_RLE) {
+- /* uncompres the DMX data */
++ /* uncompress the DMX data */
+ ui = 0;
+ ci = 0;
+- while (ci < length) {
++ while (ci < length && ui < 512) {
+ v = tvb_get_guint8(tvb, offset+ci);
+ if (v == 0xFE) {
+ ci++;
+@@ -236,7 +236,7 @@ dissect_enttec_dmx_data(tvbuff_t *tvb, guint offset, proto_tree *tree)
+ ci++;
+ v = tvb_get_guint8(tvb, offset+ci);
+ ci++;
+- for (i=0;i < count;i++) {
++ for (i=0;i < count && ui < 512;i++) {
+ dmx_data[ui] = v;
+ dmx_data_offset[ui] = ci-3;
+ ui++;
diff --git a/wireshark.spec b/wireshark.spec
index aa6c9fc..0eda2fb 100644
--- a/wireshark.spec
+++ b/wireshark.spec
@@ -16,7 +16,7 @@ Version: 1.2.13
%if %{svn_version}
Release: 0.%{svn_version}%{?dist}
%else
-Release: 1%{?dist}
+Release: 2%{?dist}
%endif
License: GPL+
Group: Applications/Internet
@@ -38,6 +38,7 @@ Patch7: wireshark-1.2.8-disable_warning_dialog.patch
Patch8: wireshark-1.2.6-nfs40-backchnl-decode.patch
Patch9: wireshark-1.2.6-smb-find-full-dir-info.patch
Patch10: wireshark-libtool-pie.patch
+Patch11: wireshark-1.4.2-enttec-overflow.patch
Url: http://www.wireshark.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -125,6 +126,7 @@ and plugins.
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1 -b .enttec-overflow
%build
%ifarch s390 s390x sparcv9 sparc64
@@ -324,7 +326,10 @@ rm -rf $RPM_BUILD_ROOT
%{_sbindir}/idl2wrs
%changelog
-* Mon Nov 22 2010 Jan Safranek <jsafrane at redhat.com>
+* Wed Jan 5 2011 Jan Safranek <jsafrane at redhat.com> - 1.2.13-2
+- fixed buffer overflow in ENTTEC dissector (#666897)
+
+* Mon Nov 22 2010 Jan Safranek <jsafrane at redhat.com> - 1.2.13-1
- upgrade to 1.2.13
- see http://www.wireshark.org/docs/relnotes/wireshark-1.2.13.html
More information about the scm-commits
mailing list