3340d77368
It fixes many buffer overflow in different protocol parsers, but none of them are critical, even in absense of Capsicum. Security: CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925 Security: CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929 Security: CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933 Security: CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937 Security: CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973 Security: CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984 Security: CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993 Security: CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203 Security: CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342 Security: CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485 Security: CVE-2017-5486
156 lines
3.9 KiB
C
156 lines
3.9 KiB
C
/*-
|
|
* Copyright (c) 2003, 2004 David Young. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. The name of David Young may not be used to endorse or promote
|
|
* products derived from this software without specific prior
|
|
* written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY DAVID YOUNG ``AS IS'' AND ANY
|
|
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
|
|
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL DAVID
|
|
* YOUNG BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
|
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
|
|
* OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include "config.h"
|
|
#endif
|
|
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <netdissect-stdinc.h>
|
|
|
|
#include "cpack.h"
|
|
#include "extract.h"
|
|
|
|
const uint8_t *
|
|
cpack_next_boundary(const uint8_t *buf, const uint8_t *p, size_t alignment)
|
|
{
|
|
size_t misalignment = (size_t)(p - buf) % alignment;
|
|
|
|
if (misalignment == 0)
|
|
return p;
|
|
|
|
return p + (alignment - misalignment);
|
|
}
|
|
|
|
/* Advance to the next wordsize boundary. Return NULL if fewer than
|
|
* wordsize bytes remain in the buffer after the boundary. Otherwise,
|
|
* return a pointer to the boundary.
|
|
*/
|
|
const uint8_t *
|
|
cpack_align_and_reserve(struct cpack_state *cs, size_t wordsize)
|
|
{
|
|
const uint8_t *next;
|
|
|
|
/* Ensure alignment. */
|
|
next = cpack_next_boundary(cs->c_buf, cs->c_next, wordsize);
|
|
|
|
/* Too little space for wordsize bytes? */
|
|
if (next - cs->c_buf + wordsize > cs->c_len)
|
|
return NULL;
|
|
|
|
return next;
|
|
}
|
|
|
|
/* Advance by N bytes without returning them. */
|
|
int
|
|
cpack_advance(struct cpack_state *cs, const size_t toskip)
|
|
{
|
|
/* No space left? */
|
|
if (cs->c_next - cs->c_buf + toskip > cs->c_len)
|
|
return -1;
|
|
cs->c_next += toskip;
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
cpack_init(struct cpack_state *cs, const uint8_t *buf, size_t buflen)
|
|
{
|
|
memset(cs, 0, sizeof(*cs));
|
|
|
|
cs->c_buf = buf;
|
|
cs->c_len = buflen;
|
|
cs->c_next = cs->c_buf;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Unpack a 64-bit unsigned integer. */
|
|
int
|
|
cpack_uint64(struct cpack_state *cs, uint64_t *u)
|
|
{
|
|
const uint8_t *next;
|
|
|
|
if ((next = cpack_align_and_reserve(cs, sizeof(*u))) == NULL)
|
|
return -1;
|
|
|
|
*u = EXTRACT_LE_64BITS(next);
|
|
|
|
/* Move pointer past the uint64_t. */
|
|
cs->c_next = next + sizeof(*u);
|
|
return 0;
|
|
}
|
|
|
|
/* Unpack a 32-bit unsigned integer. */
|
|
int
|
|
cpack_uint32(struct cpack_state *cs, uint32_t *u)
|
|
{
|
|
const uint8_t *next;
|
|
|
|
if ((next = cpack_align_and_reserve(cs, sizeof(*u))) == NULL)
|
|
return -1;
|
|
|
|
*u = EXTRACT_LE_32BITS(next);
|
|
|
|
/* Move pointer past the uint32_t. */
|
|
cs->c_next = next + sizeof(*u);
|
|
return 0;
|
|
}
|
|
|
|
/* Unpack a 16-bit unsigned integer. */
|
|
int
|
|
cpack_uint16(struct cpack_state *cs, uint16_t *u)
|
|
{
|
|
const uint8_t *next;
|
|
|
|
if ((next = cpack_align_and_reserve(cs, sizeof(*u))) == NULL)
|
|
return -1;
|
|
|
|
*u = EXTRACT_LE_16BITS(next);
|
|
|
|
/* Move pointer past the uint16_t. */
|
|
cs->c_next = next + sizeof(*u);
|
|
return 0;
|
|
}
|
|
|
|
/* Unpack an 8-bit unsigned integer. */
|
|
int
|
|
cpack_uint8(struct cpack_state *cs, uint8_t *u)
|
|
{
|
|
/* No space left? */
|
|
if ((size_t)(cs->c_next - cs->c_buf) >= cs->c_len)
|
|
return -1;
|
|
|
|
*u = *cs->c_next;
|
|
|
|
/* Move pointer past the uint8_t. */
|
|
cs->c_next++;
|
|
return 0;
|
|
}
|