On Thu, May 30, 2013 at 9:46 PM, <[email protected]> wrote: > http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=49644 > > User: morriss > Date: 2013/05/30 06:46 PM > > Log: > (Finally!) check in part of Didier's patch to fix > https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3290 > (TRY_TO_FAKE_THIS_ITEM disables bounds errors): > > Before calling TRY_TO_FAKE_THIS_ITEM() check if the length given (or, in > the case of FT_UINT_{STRING,BYTES}, the length we retrieve from the TVB) > exceeds what's left in the TVB. > > Do this only for proto_tree_add_item() for now (it's the most commonly used > and thus the biggest trouble maker in this area). > > Similar changes for other APIs will come later (if nothing blows up). > Despite > the fuzz failures this bug has caused I'm not sure about back-porting it... > > Directory: /trunk/epan/ > Changes Path Action > +28 -3 proto.c Modified
Thank you for this! If we get through a round or two of fuzz-testing without any failures I would really like to see this backported to every stable branch (even 1.6). It closes an entire class of security vulnerabilities, and while it is a fairly non-trivial behavioural change in a hot code path, it is relatively short and clearly not doing anything too odd. Fingers crossed for no unexpected side-effects... Evan ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
