Wireshark-bugs: [Wireshark-bugs] [Bug 7363] Wireshark is unable to dissect Security Descriptors
Date: Tue, 12 Jun 2012 21:44:51 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7363

--- Comment #6 from Richard Sharpe <[email protected]> 2012-06-12 21:44:50 PDT ---
A patch that implements part of the above dissection.

[[email protected] wireshark.h3-mods]$ diff -up
../wireshark/epan/dissectors/packet-windows-common.c 
epan/dissectors/packet-windows-common.c
--- ../wireshark/epan/dissectors/packet-windows-common.c    2012-06-10
12:30:04.638364315 -0700
+++ epan/dissectors/packet-windows-common.c    2012-06-12 19:50:16.494024966
-0700
@@ -2362,6 +2362,8 @@ dissect_nt_acl(tvbuff_t *tvb, int offset
     int pre_ace_offset;
     guint16 revision;
     guint32 num_aces;
+    guint32 total_aces;
+    gboolean missing_data = FALSE;

     if(parent_tree){
         item = proto_tree_add_text(parent_tree, tvb, offset, -1,
@@ -2407,15 +2409,27 @@ dissect_nt_acl(tvbuff_t *tvb, int offset
                   tvb, offset, 4, num_aces);
       offset += 4;

-      while(num_aces--){
+      total_aces = num_aces;
+
+      while(num_aces-- && !missing_data){
         pre_ace_offset = offset;
-        offset = dissect_nt_v2_ace(tvb, offset, pinfo, tree, drep, ami);
-        if (pre_ace_offset == offset) {
+
+        TRY {
+          offset = dissect_nt_v2_ace(tvb, offset, pinfo, tree, drep, ami);
+          if (pre_ace_offset == offset) {
             /*
              * Bogus ACE, with a length < 4.
              */
             break;
+          }
         }
+
+        CATCH2(BoundsError, ReportedBoundsError) {
+            proto_tree_add_text(tree, tvb, offset, 0, "ACE Extends beyond end
of captured or reassembled buffer");
+            missing_data = TRUE;
+        }
+
+        ENDTRY;
       }
     }

@@ -2663,9 +2677,17 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int o
            */
           THROW(ReportedBoundsError);
         }
-        offset = dissect_nt_sid(tvb, item_offset, tree, "Owner", NULL, -1);
-        if (offset > end_offset)
-          end_offset = offset;
+        TRY{ 
+          offset = dissect_nt_sid(tvb, item_offset, tree, "Owner", NULL, -1);
+          if (offset > end_offset)
+            end_offset = offset;
+        }
+
+        CATCH2(BoundsError, ReportedBoundsError) {
+          proto_tree_add_text(tree, tvb, item_offset, 0, "Owner SID beyond end
of captured or reassembled buffer");
+        }
+
+        ENDTRY;
       }

       /*group SID*/
@@ -2677,9 +2699,17 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int o
            */
           THROW(ReportedBoundsError);
         }
-        offset = dissect_nt_sid(tvb, item_offset, tree, "Group", NULL, -1);
-        if (offset > end_offset)
-          end_offset = offset;
+        TRY {
+          offset = dissect_nt_sid(tvb, item_offset, tree, "Group", NULL, -1);
+          if (offset > end_offset)
+            end_offset = offset;
+        }
+
+        CATCH2(BoundsError, ReportedBoundsError) {
+          proto_tree_add_text(tree, tvb, item_offset, 0, "Group SID beyond end
of captured or reassembled buffer");
+        }
+
+        ENDTRY;
       }

       /* sacl */
@@ -2711,6 +2741,7 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int o
         if (offset > end_offset)
           end_offset = offset;
       }
+
       break;

     default:
@@ -2720,16 +2751,17 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int o
     if (len_supplied) {
       /* Make sure the length isn't too large (so that we get an
          overflow) */
-      tvb_ensure_bytes_exist(tvb, start_offset, len);
+      /* tvb_ensure_bytes_exist(tvb, start_offset, len);*/
     } else {
       /* The length of the security descriptor is the difference
          between the starting offset and the offset past the last
          item in the descriptor. */
       len = end_offset - start_offset;
     }
+    len = end_offset - start_offset;
     proto_item_set_len(item, len);

-    return offset+len;
+    return offset;
 }

 /*

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.