From cb190d6839ddcd4596b0205844f45553f1e77105 Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Fri, 19 May 2023 16:29:45 -0700 Subject: [PATCH] netscaler: add more checks to make sure the record is within the page. Whie we're at it, restructure some other checks to test-before-casting - it's OK to test afterwards, but testing before makes it follow the pattern used elsewhere. Fixes #19081. Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105] CVE: CVE-2023-2858 Signed-off-by: Hitendra Prajapati --- wiretap/netscaler.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c index 93da9a2..f835dfa 100644 --- a/wiretap/netscaler.c +++ b/wiretap/netscaler.c @@ -1082,13 +1082,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int *err, gchar **err_info) #define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \ do {\ - nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ /* Make sure the record header is entirely contained in the page */\ - if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\ + if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\ *err = WTAP_ERR_BAD_FILE;\ *err_info = g_strdup("nstrace: record header crosses page boundary");\ return FALSE;\ }\ + nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ /* Check sanity of record size */\ if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\ *err = WTAP_ERR_BAD_FILE;\ @@ -1153,6 +1153,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, case NSPR_ABSTIME_V10: { + if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) + return FALSE; nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; if (pletoh16(&fp->nsprRecordSize) == 0) { *err = WTAP_ERR_BAD_FILE; @@ -1166,6 +1168,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, case NSPR_RELTIME_V10: { + if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) + return FALSE; nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; if (pletoh16(&fp->nsprRecordSize) == 0) { *err = WTAP_ERR_BAD_FILE; @@ -1183,6 +1187,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, default: { + if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) + return FALSE; nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; if (pletoh16(&fp->nsprRecordSize) == 0) { *err = WTAP_ERR_BAD_FILE; @@ -1466,14 +1472,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf, #define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\ do {\ - nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ /* Make sure the record header is entirely contained in the page */\ - if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\ + if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\ *err = WTAP_ERR_BAD_FILE;\ *err_info = g_strdup("nstrace: record header crosses page boundary");\ g_free(nstrace_tmpbuff);\ return FALSE;\ }\ + nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ (rec)->rec_type = REC_TYPE_PACKET;\ TIMEDEFV##ver((rec),fp,type);\ FULLPART##SIZEDEFV##ver((rec),fp,ver);\ @@ -1580,7 +1586,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf, g_free(nstrace_tmpbuff); return FALSE; } - hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset]; if (nspr_getv20recordsize(hdp) == 0) { *err = WTAP_ERR_BAD_FILE; -- 2.25.1