2 bugs do make a right in Wireshark
Lets look at the current Wireshark source.
table_length = tvb_get_ntohl(tvb, offset);
Looks like it's grabbing a 32bit integer.
tf = proto_tree_add_item(info_tree, hf_address_table_length, tvb, offset, 4, ENC_BIG_ENDIAN);
element_tree = proto_item_add_subtree(tf, ett_table_element);
EAT(4);
And it uses up 4 bytes with that EAT(4).
if (wccp_wccp_address_table->in_use == FALSE) {
wccp_wccp_address_table->family = family;
wccp_wccp_address_table->table_length = table_length;
/* check if the length is valid and allocate the tables if needed */
switch (wccp_wccp_address_table->family) {
case 1:
if (wccp_wccp_address_table->table_ipv4 == NULL)
wccp_wccp_address_table->table_ipv4 = (guint32 *)
wmem_alloc0(pinfo->pool, wccp_wccp_address_table->table_length * 4);
We have an integer overflow in the alloc on 32 bit systems (where size_t is 32bits). These are potentially useful since you can get a heap overflow if you have an alloc size mismatch with the size of the buffer being used. Bug 1.
No wait..
Lets double check some things.
static gint
dissect_wccp2r1_address_table_info(tvbuff_t *tvb, int offset, int length,
packet_info *pinfo, proto_tree *info_tree, wc
cp_address_table* wccp_wccp_address_table)
{
guint16 address_length;
guint32 i;
gint16 family;
guint16 table_length;
proto_tree *element_tree;
proto_item *tf;
Uh oh. Looks like table_length is declared as 16bit.. even though the code I showed earlier believes its 32 bits. Bug 2.
/* with version 2.01 we now have a address table which is possibly present */
typedef struct wccp_address_table {
gboolean in_use;
gint16 family;
gint16 version;
guint16 table_length;
guint32 *table_ipv4;
struct e_in6_addr *table_ipv6;
} wccp_address_table;
Given that table_length is 16bits, the alloc() function earlier won't integer overflow.
2 bugs don't make a right. Except, in this case, they do.
table_length = tvb_get_ntohl(tvb, offset);
Looks like it's grabbing a 32bit integer.
tf = proto_tree_add_item(info_tree, hf_address_table_length, tvb, offset, 4, ENC_BIG_ENDIAN);
element_tree = proto_item_add_subtree(tf, ett_table_element);
EAT(4);
And it uses up 4 bytes with that EAT(4).
if (wccp_wccp_address_table->in_use == FALSE) {
wccp_wccp_address_table->family = family;
wccp_wccp_address_table->table_length = table_length;
/* check if the length is valid and allocate the tables if needed */
switch (wccp_wccp_address_table->family) {
case 1:
if (wccp_wccp_address_table->table_ipv4 == NULL)
wccp_wccp_address_table->table_ipv4 = (guint32 *)
wmem_alloc0(pinfo->pool, wccp_wccp_address_table->table_length * 4);
We have an integer overflow in the alloc on 32 bit systems (where size_t is 32bits). These are potentially useful since you can get a heap overflow if you have an alloc size mismatch with the size of the buffer being used. Bug 1.
No wait..
Lets double check some things.
static gint
dissect_wccp2r1_address_table_info(tvbuff_t *tvb, int offset, int length,
packet_info *pinfo, proto_tree *info_tree, wc
cp_address_table* wccp_wccp_address_table)
{
guint16 address_length;
guint32 i;
gint16 family;
guint16 table_length;
proto_tree *element_tree;
proto_item *tf;
Uh oh. Looks like table_length is declared as 16bit.. even though the code I showed earlier believes its 32 bits. Bug 2.
/* with version 2.01 we now have a address table which is possibly present */
typedef struct wccp_address_table {
gboolean in_use;
gint16 family;
gint16 version;
guint16 table_length;
guint32 *table_ipv4;
struct e_in6_addr *table_ipv6;
} wccp_address_table;
Given that table_length is 16bits, the alloc() function earlier won't integer overflow.
2 bugs don't make a right. Except, in this case, they do.