Wireshark-commits: [Wireshark-commits] master 635cad9: mstp: fix buffer overflow in COBS decoding
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=635cad93737ea7f8ebd6047baf54548212ede7c7
Submitter: Anders Broman (a.broman58@xxxxxxxxx)
Changed: branch: master
Repository: wireshark
Commits:
635cad9 by Peter Wu (peter@xxxxxxxxxxxxx):
mstp: fix buffer overflow in COBS decoding
Fix a crash (denial of service) resulting from a large buffer overrun
(read) when the "MS/TP Length" is smaller than 3. If that is the case,
then an integer overflow will result in a large unsigned number.
Fix a buffer overflow (write) when the "code" (length) octet is 0. This
is illegal and would result in an integer overflow. With a specially
crafted encoded CRC-32K value, this could result in writing 255 bytes
past the end of buffer (xoring the octets with 0x55).
Make the meaning of the "length" parameter more obvious (include two
bytes such that it reflects the input and output buffer size).
Corrected based on the description in Section 9.10 of
http://www.bacnet.org/Addenda/Add-135-2012an-PPR2-draft-rc4_chair_approved.pdf
(note that its reference code also has this overflow issue).
Bug: 14771
Change-Id: Iac27e1151f02add4e54abb0fcae6afc94460ae23
Fixes: v2.9.0rc0-734-g0e517232a8 ("Added support for extended length BACnet MS/TP data frames.")
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8580
Reviewed-on: https://code.wireshark.org/review/27897
Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dirk Roemmen <dro@xxxxxxxx>
Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
Actions performed:
from bf886df wiretap: camins: add support for timestamps
adds 635cad9 mstp: fix buffer overflow in COBS decoding
Summary of changes:
epan/dissectors/packet-mstp.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)