File wireshark-0104-CVE-2020-26421.patch of Package wireshark.35707

Overview Repositories Revisions Requests Users Attributes Meta

File wireshark-0104-CVE-2020-26421.patch of Package wireshark.35707

From 61f17d3c2112f5a9da40a33417b778bf66a10aee Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Thu, 5 Nov 2020 17:37:13 -0800
Subject: [PATCH] epan: Limit our bits in decode_bits_in_field.

Limit the number of bits we process in decode_bits_in_field, otherwise
we'll overrun our buffer. Fixes #16958.

(cherry picked from commit d5f2657825e63e4126ebd7d13a59f3c6e8a9e4e1)
---
 epan/to_str.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/epan/to_str.c b/epan/to_str.c
index fd37f8c6bb..d91991e3f1 100644
--- a/epan/to_str.c
+++ b/epan/to_str.c
@@ -950,13 +950,13 @@ rel_time_to_secs_str(wmem_allocator_t *scope, const nstime_t *rel_time)
 char *
 decode_bits_in_field(const guint bit_offset, const gint no_of_bits, const guint64 value)
 {
-	guint64 mask = 0,tmp;
+	guint64 mask;
 	char *str;
 	int bit, str_p = 0;
 	int i;
+	int max_bits = MIN(64, no_of_bits);
 
-	mask = 1;
-	mask = mask << (no_of_bits-1);
+	mask = G_GUINT64_CONSTANT(1) << (max_bits-1);
 
 	/* Prepare the string, 256 pos for the bits and zero termination, + 64 for the spaces */
 	str=(char *)wmem_alloc0(wmem_packet_scope(), 256+64);
@@ -970,7 +970,7 @@ decode_bits_in_field(const guint bit_offset, const gint no_of_bits, const guint6
 	}
 
 	/* read the bits for the int */
-	for(i=0;i<no_of_bits;i++){
+	for(i=0;i<max_bits;i++){
 		if(bit&&(!(bit%4))){
 			str[str_p] = ' ';
 			str_p++;
@@ -980,8 +980,7 @@ decode_bits_in_field(const guint bit_offset, const gint no_of_bits, const guint6
 			str_p++;
 		}
 		bit++;
-		tmp = value & mask;
-		if(tmp != 0){
+		if((value & mask) != 0){
 			str[str_p] = '1';
 			str_p++;
 		} else {
-- 
2.46.0

Places

File wireshark-0104-CVE-2020-26421.patch of Package wireshark.35707

Places