Ethereal-dev: [Ethereal-dev] pppdump & 0.8.14.
pppdump import does not work in ethereal 0.8.14.
There a check that is firing incorrectly when the size of a pointer is
taken in error. It makes pppdump opening fundamentally broken.
The following patch will remedy this. Also added is another similar
check to check other buffers are handled safely.
Cheers
Daniel
--xx--
diff -Naur ethereal-0.8.14/wiretap/pppdump.c ethereal/wiretap/pppdump.c
--- ethereal-0.8.14/wiretap/pppdump.c Mon Nov 20 04:36:24 2000
+++ ethereal/wiretap/pppdump.c Fri Dec 8 12:13:40 2000
@@ -83,6 +83,11 @@
#define PPPD_NULL 0x00 /* For my own use */
+/* this buffer must be at least (2*PPPD_MTU) + sizeof(ppp_header) + sizeof(lcp_header) +
+ * sizeof(ipcp_header). PPPD_MTU is *very* rarely larger than 1500 so this value is fine
+ */
+#define PPPD_BUF_SIZE 8192
+
typedef enum {
DIRECTION_SENT,
DIRECTION_RECV
@@ -102,7 +107,7 @@
direction_enum dir;
int cnt;
gboolean esc;
- guint8 buf[8192];
+ guint8 buf[PPPD_BUF_SIZE];
long id_offset;
} pkt_t;
@@ -202,7 +207,7 @@
wth->file_encap = WTAP_ENCAP_PPP_WITH_PHDR;
wth->file_type = WTAP_FILE_PPPDUMP;
- wth->snapshot_length = 8192; /* just guessing */
+ wth->snapshot_length = PPPD_BUF_SIZE; /* just guessing */
wth->subtype_read = pppdump_read;
wth->subtype_seek_read = pppdump_seek_read;
wth->subtype_close = pppdump_close;
@@ -227,7 +232,7 @@
pppdump_t *state;
pkt_id *pid;
- buffer_assure_space(wth->frame_buffer, 8192);
+ buffer_assure_space(wth->frame_buffer, PPPD_BUF_SIZE);
buf = buffer_start_ptr(wth->frame_buffer);
state = wth->capture.generic;
@@ -334,7 +339,7 @@
return 0;
}
- if (num_written > sizeof(pd)) {
+ if (num_written > PPPD_BUF_SIZE) {
*err = WTAP_ERR_UNC_OVERFLOW;
return -1;
}
@@ -367,6 +372,10 @@
}
pkt->buf[pkt->cnt++] = c;
+ if (pkt->cnt > PPPD_BUF_SIZE) {
+ *err = WTAP_ERR_UNC_OVERFLOW;
+ return -1;
+ }
break;
}
}
--
Daniel Thompson (STMicroelectronics) <daniel.thompson@xxxxxx>
1000 Aztec West, Almondsbury, Bristol, BS32 4SQ. 01454 462659
Statistics: Where mean is normal and deviation is standard.