Wireshark-commits: [Wireshark-commits] master 635cad9: mstp: fix buffer overflow in COBS decoding
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Wed, 30 May 2018 06:56:11 +0000
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=635cad93737ea7f8ebd6047baf54548212ede7c7
Submitter: Anders Broman (a.broman58@xxxxxxxxx)
Changed: branch: master
Repository: wireshark

Commits:

635cad9 by Peter Wu (peter@xxxxxxxxxxxxx):

    mstp: fix buffer overflow in COBS decoding
    
    Fix a crash (denial of service) resulting from a large buffer overrun
    (read) when the "MS/TP Length" is smaller than 3. If that is the case,
    then an integer overflow will result in a large unsigned number.
    
    Fix a buffer overflow (write) when the "code" (length) octet is 0. This
    is illegal and would result in an integer overflow. With a specially
    crafted encoded CRC-32K value, this could result in writing 255 bytes
    past the end of buffer (xoring the octets with 0x55).
    
    Make the meaning of the "length" parameter more obvious (include two
    bytes such that it reflects the input and output buffer size).
    
    Corrected based on the description in Section 9.10 of
    http://www.bacnet.org/Addenda/Add-135-2012an-PPR2-draft-rc4_chair_approved.pdf
    (note that its reference code also has this overflow issue).
    
    Bug: 14771
    Change-Id: Iac27e1151f02add4e54abb0fcae6afc94460ae23
    Fixes: v2.9.0rc0-734-g0e517232a8 ("Added support for extended length BACnet MS/TP data frames.")
    Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8580
    Reviewed-on: https://code.wireshark.org/review/27897
    Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Dirk Roemmen <dro@xxxxxxxx>
    Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
    

Actions performed:

    from  bf886df   wiretap: camins: add support for timestamps
    adds  635cad9   mstp: fix buffer overflow in COBS decoding


Summary of changes:
 epan/dissectors/packet-mstp.c | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)