On Thu, May 30, 2013 at 10:15 PM, Evan Huus <[email protected]> wrote: > On Thu, May 30, 2013 at 9:46 PM, <[email protected]> wrote: >> http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=49644 >> >> User: morriss >> Date: 2013/05/30 06:46 PM >> >> Log: >> (Finally!) check in part of Didier's patch to fix >> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3290 >> (TRY_TO_FAKE_THIS_ITEM disables bounds errors): >> >> Before calling TRY_TO_FAKE_THIS_ITEM() check if the length given (or, in >> the case of FT_UINT_{STRING,BYTES}, the length we retrieve from the TVB) >> exceeds what's left in the TVB. >> >> Do this only for proto_tree_add_item() for now (it's the most commonly used >> and thus the biggest trouble maker in this area). >> >> Similar changes for other APIs will come later (if nothing blows up). >> Despite >> the fuzz failures this bug has caused I'm not sure about back-porting it... >> >> Directory: /trunk/epan/ >> Changes Path Action >> +28 -3 proto.c Modified > > Thank you for this! > > If we get through a round or two of fuzz-testing without any failures > I would really like to see this backported to every stable branch > (even 1.6). It closes an entire class of security vulnerabilities, and > while it is a fairly non-trivial behavioural change in a hot code > path, it is relatively short and clearly not doing anything too odd. > > Fingers crossed for no unexpected side-effects... > Evan
P.S. I don't know when we're expecting 1.10 final but I think delaying it (if necessary) in order to include this fix is fully justified. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
