https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6510
Summary: Harden buffer_assure_space to avoid integer overflow
and possible later buffer overflows
Product: Wireshark
Version: SVN
Platform: Other
OS/Version: All
Status: NEW
Severity: Major
Priority: Low
Component: Wireshark
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: huzaifas@xxxxxxxxxx
Created an attachment (id=7325)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7325)
buffer_assure_space() overflow patch
Build Information:
Affects all the builds.
--
buffer_assure_space() in wiretap/buffer.c seems to be suffering from an integer
overflow issue, which may escalate to buffer overflow later.
When performing:
buffer->allocated += space + 1024; the value of buffer->allocated can actual
overflow, which will result in lesser memory being allocated/re-allocated later
in the following line:
buffer->data = (guint8*)g_realloc(buffer->data, buffer->allocated);
Later when this buffer is used to copy data to, it would result in a heap-based
buffer overflow.
Attached patch should correct the problem.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
