| From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001 |
| From: Guy Harris <gharris@sonic.net> |
| Date: Thu, 18 May 2023 15:03:23 -0700 |
| Subject: [PATCH] vms: fix the search for the packet length field. |
| |
| The packet length field is of the form |
| |
| Total Length = DDD = ^xXXX |
| |
| where "DDD" is the length in decimal and "XXX" is the length in |
| hexadecimal. |
| |
| Search for "length ". not just "Length", as we skip past "Length ", not |
| just "Length", so if we assume we found "Length " but only found |
| "Length", we'd skip past the end of the string. |
| |
| While we're at it, fail if we don't find a length field, rather than |
| just blithely acting as if the packet length were zero. |
| |
| Fixes #19083. |
| |
| Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca] |
| CVE: CVE-2023-2856 |
| |
| Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> |
| --- |
| wiretap/vms.c | 9 ++++++++- |
| 1 file changed, 8 insertions(+), 1 deletion(-) |
| |
| diff --git a/wiretap/vms.c b/wiretap/vms.c |
| index 0aa83ea..5f5fdbb 100644 |
| --- a/wiretap/vms.c |
| +++ b/wiretap/vms.c |
| @@ -318,6 +318,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in |
| { |
| char line[VMS_LINE_LENGTH + 1]; |
| int num_items_scanned; |
| + gboolean have_pkt_len = FALSE; |
| guint32 pkt_len = 0; |
| int pktnum; |
| int csec = 101; |
| @@ -374,7 +375,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in |
| return FALSE; |
| } |
| } |
| - if ( (! pkt_len) && (p = strstr(line, "Length"))) { |
| + if ( (! have_pkt_len) && (p = strstr(line, "Length "))) { |
| p += sizeof("Length "); |
| while (*p && ! g_ascii_isdigit(*p)) |
| p++; |
| @@ -390,9 +391,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in |
| *err_info = g_strdup_printf("vms: Length field '%s' not valid", p); |
| return FALSE; |
| } |
| + have_pkt_len = TRUE; |
| break; |
| } |
| } while (! isdumpline(line)); |
| + if (! have_pkt_len) { |
| + *err = WTAP_ERR_BAD_FILE; |
| + *err_info = g_strdup_printf("vms: Length field not found"); |
| + return FALSE; |
| + } |
| if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { |
| /* |
| * Probably a corrupt capture file; return an error, |
| -- |
| 2.25.1 |
| |