Wireshark · Ethereal-users: Re: [Ethereal-users] HP JetDirect and ethereal SNMP vulnerabilities

[Guy Harris <guy@xxxxxxxxxx>]

> The attached patch to "asn1.c" should keep the ASN.1 code from blowing
> up if handed an absurd length for a string or OID item.

And the attached patch, applied on top of my previous patch, may catch
some additional problems.  (I'll be checking it in as well.)

Index: asn1.c
===================================================================
RCS file: /usr/local/cvsroot/ethereal/asn1.c,v
retrieving revision 1.9
diff -c -r1.9 asn1.c
*** asn1.c	2002/02/20 22:46:21	1.9
--- asn1.c	2002/02/21 01:55:32
***************
*** 68,73 ****
--- 68,75 ----
  #include <winsock.h>
  #endif
  
+ #include <limits.h>
+ 
  #include <glib.h>
  #include <epan/tvbuff.h>
  #include "asn1.h"
***************
*** 649,654 ****
--- 651,663 ----
      eoc = asn1->offset + enc_len;
  
      /*
+      * Check for an overflow, and clamp "eoc" at the maximum if we
+      * get it.
+      */
+     if (eoc < asn1->offset || eoc < 0)
+ 	eoc = INT_MAX;
+ 
+     /*
       * First, make sure the entire string is in the tvbuff, and throw
       * an exception if it isn't.  If the length is bogus, this should
       * keep us from trying to allocate an immensely large buffer.
***************
*** 809,814 ****
--- 818,830 ----
      subid_t      *optr;
  
      eoc = asn1->offset + enc_len;
+ 
+     /*
+      * Check for an overflow, and clamp "eoc" at the maximum if we
+      * get it.
+      */
+     if (eoc < asn1->offset || eoc < 0)
+ 	eoc = INT_MAX;
  
      /*
       * First, make sure the entire string is in the tvbuff, and throw