Bug #402 memset dlt radiotap get 80211

docs/CHANGELOG

@@ -11,6 +11,7 @@
     - Rewrite zero IP total length field to match the actual packet length (#406)
     - stack-buffer-overflow in tcpcapinfo (#405)
     - tcpprep --include option does not exclude (#404)
+    - Negative-size-param memset in dlt_radiotap_get_80211 (#402)
 
 05/10/2017 Version 4.2.6
     - Test fails on sparc64 (#393)

src/tcpedit/plugins/dlt_en10mb/en10mb.c

@@ -104,8 +104,10 @@ dlt_en10mb_init(tcpeditdlt_t *ctx)
         return TCPEDIT_ERROR;
     }
 
-    ctx->decoded_extra = safe_malloc(sizeof(en10mb_extra_t));
-    plugin->config = safe_malloc(sizeof(en10mb_config_t));
+    ctx->decoded_extra_size = sizeof(en10mb_extra_t);
+    ctx->decoded_extra = safe_malloc(ctx->decoded_extra_size);
+    plugin->config_size = sizeof(en10mb_config_t);
+    plugin->config = safe_malloc(plugin->config_size);
     config = (en10mb_config_t *)plugin->config;
 
     /* init vlan user values to -1 to indicate not set */
@@ -135,11 +137,13 @@ dlt_en10mb_cleanup(tcpeditdlt_t *ctx)
     if (ctx->decoded_extra != NULL) {
         safe_free(ctx->decoded_extra);
         ctx->decoded_extra = NULL;
+        ctx->decoded_extra_size = 0;
     }
 
     if (plugin->config != NULL) {
         safe_free(plugin->config);
         plugin->config = NULL;
+        plugin->config_size = 0;
     }
 
     return TCPEDIT_OK; /* success */
@@ -222,7 +226,12 @@ dlt_en10mb_parse_opts(tcpeditdlt_t *ctx)
     assert(ctx);
 
     plugin = tcpedit_dlt_getplugin(ctx, dlt_value);
+    if (!plugin)
+        return TCPEDIT_ERROR;
+
     config = (en10mb_config_t *)plugin->config;
+    if (plugin->config_size < sizeof(*config))
+        return TCPEDIT_ERROR;
 
     /* --subsmacs */
     if (HAVE_OPT(ENET_SUBSMAC)) {
@@ -381,6 +390,9 @@ dlt_en10mb_decode(tcpeditdlt_t *ctx, const u_char *packet, const int pktlen)
     memcpy(&(ctx->srcaddr.ethernet), &(eth->ether_shost), ETHER_ADDR_LEN);
 
     extra = (en10mb_extra_t *)ctx->decoded_extra;
+    if (ctx->decoded_extra_size < sizeof(*extra))
+        return TCPEDIT_ERROR;
+
     extra->vlan = 0;
 
     /* get the L3 protocol type  & L2 len*/
@@ -436,9 +448,17 @@ dlt_en10mb_encode(tcpeditdlt_t *ctx, u_char *packet, int pktlen, tcpr_dir_t dir)
     }
 
     plugin = tcpedit_dlt_getplugin(ctx, dlt_value);
+    if (!plugin)
+        return TCPEDIT_ERROR;
+
     config = plugin->config;
+    if (plugin->config_size < sizeof(*config))
+        return TCPEDIT_ERROR;
+
     extra = (en10mb_extra_t *)ctx->decoded_extra;
-
+    if (ctx->decoded_extra_size < sizeof(*extra))
+        return TCPEDIT_ERROR;
+
     /* figure out the new layer2 length, first for the case: ethernet -> ethernet? */
     if (ctx->decoder->dlt == dlt_value) {
         if ((ctx->l2len == TCPR_802_1Q_H && config->vlan == TCPEDIT_VLAN_OFF) ||

src/tcpedit/plugins/dlt_hdlc/hdlc.c

@@ -102,13 +102,12 @@ dlt_hdlc_init(tcpeditdlt_t *ctx)
     }
 
     /* allocate memory for our deocde extra data */
-    if (sizeof(hdlc_extra_t) > 0)
-        ctx->decoded_extra = safe_malloc(sizeof(hdlc_extra_t));
+    ctx->decoded_extra_size = sizeof(hdlc_extra_t);
+    ctx->decoded_extra = safe_malloc(ctx->decoded_extra_size);
 
     /* allocate memory for our config data */
-    if (sizeof(hdlc_config_t) > 0)
-        plugin->config = safe_malloc(sizeof(hdlc_config_t));
-
+    plugin->config_size = sizeof(hdlc_config_t);
+    plugin->config = safe_malloc(plugin->config_size);
     config = (hdlc_config_t *)plugin->config;
 
     /* default to unset */
@@ -136,11 +135,13 @@ dlt_hdlc_cleanup(tcpeditdlt_t *ctx)
     if (ctx->decoded_extra != NULL) {
         safe_free(ctx->decoded_extra);
         ctx->decoded_extra = NULL;
+        ctx->decoded_extra_size = 0;
     }
 
     if (plugin->config != NULL) {
         safe_free(plugin->config);
         plugin->config = NULL;
+        plugin->config_size = 0;
     }
 
     return TCPEDIT_OK; /* success */
@@ -159,9 +160,15 @@ dlt_hdlc_parse_opts(tcpeditdlt_t *ctx)
     hdlc_config_t *config;
     assert(ctx);
 
+
     plugin = tcpedit_dlt_getplugin(ctx, dlt_value);
+    if (!plugin)
+        return TCPEDIT_ERROR;
+
     config = plugin->config;
-
+    if (plugin->config_size < sizeof(*config))
+        return TCPEDIT_ERROR;
+
     if (HAVE_OPT(HDLC_CONTROL)) {
         config->control = (uint16_t)OPT_VALUE_HDLC_CONTROL;
     }
@@ -191,10 +198,14 @@ dlt_hdlc_decode(tcpeditdlt_t *ctx, const u_char *packet, const int pktlen)
     assert(ctx);
     assert(packet);
 
-    if (pktlen < 4)
+    if (pktlen < sizeof(*hdlc))
         return TCPEDIT_ERROR;
 
+    if (ctx->decoded_extra_size < sizeof(*extra))
+        return TCPEDIT_ERROR;
+
     extra = (hdlc_extra_t *)ctx->decoded_extra;
+
     hdlc = (cisco_hdlc_t *)packet;
 
     ctx->proto = hdlc->protocol;
@@ -223,7 +234,10 @@ dlt_hdlc_encode(tcpeditdlt_t *ctx, u_char *packet, int pktlen, _U_ tcpr_dir_t di
     assert(ctx);
     assert(packet);
 
-    if (pktlen < 4)
+    if (pktlen < sizeof(*hdlc))
+        return TCPEDIT_ERROR;
+
+    if (ctx->decoded_extra_size < sizeof(*extra))
         return TCPEDIT_ERROR;
 
     /* Make room for our new l2 header if old l2len != 4 */
@@ -243,8 +257,16 @@ dlt_hdlc_encode(tcpeditdlt_t *ctx, u_char *packet, int pktlen, _U_ tcpr_dir_t di
      */
     hdlc = (cisco_hdlc_t *)packet;
     plugin = tcpedit_dlt_getplugin(ctx, dlt_value);
+    if (!plugin)
+        return TCPEDIT_ERROR;
+
     config = plugin->config;
+    if (plugin->config_size < sizeof(*config))
+        return TCPEDIT_ERROR;
+
     extra = (hdlc_extra_t *)ctx->decoded_extra;
+    if (ctx->decoded_extra_size < sizeof(*extra))
+        return TCPEDIT_ERROR;
 
     /* set the address field */
     if (config->address < 65535) {

src/tcpedit/plugins/dlt_hdlc/hdlc_types.h

@@ -33,9 +33,14 @@ extern "C" {
  * Example: Ethernet VLAN tag info
  */
 typedef struct {
-    int hdlc; /* set to 1 if values below are filled out */
-    u_int8_t address;
-    u_int8_t control;
+    union {
+        struct {
+            int hdlc; /* set to 1 if values below are filled out */
+            u_int8_t address;
+            u_int8_t control;
+        };
+        u_char packet[MAXPACKET];
+    };
 } hdlc_extra_t;
 
 

src/tcpedit/plugins/dlt_ieee80211/ieee80211.c

@@ -108,13 +108,13 @@ dlt_ieee80211_init(tcpeditdlt_t *ctx)
         return TCPEDIT_ERROR;
     }
 
-    /* allocate memory for our deocde extra data */
-    if (sizeof(ieee80211_extra_t) > 0)
-        ctx->decoded_extra = safe_malloc(sizeof(ieee80211_extra_t));
+    /* allocate memory for our decode extra data */
+    ctx->decoded_extra_size = sizeof(ieee80211_extra_t);
+    ctx->decoded_extra = safe_malloc(ctx->decoded_extra_size);
 
     /* allocate memory for our config data */
-    if (sizeof(ieee80211_config_t) > 0)
-        plugin->config = safe_malloc(sizeof(ieee80211_config_t));
+    plugin->config_size = sizeof(ieee80211_config_t);
+    plugin->config = safe_malloc(plugin->config_size);
 
     /* FIXME: set default config values here */
 
@@ -140,11 +140,13 @@ dlt_ieee80211_cleanup(tcpeditdlt_t *ctx)
     if (ctx->decoded_extra != NULL) {
         safe_free(ctx->decoded_extra);
         ctx->decoded_extra = NULL;
+        ctx->decoded_extra_size = 0;
     }
 
     if (plugin->config != NULL) {
         safe_free(plugin->config);
         plugin->config = NULL;
+        plugin->config_size = 0;
     }
 
     return TCPEDIT_OK; /* success */

src/tcpedit/plugins/dlt_ieee80211/ieee80211_types.h

@@ -83,8 +83,7 @@ typedef struct {
  * Example: Ethernet VLAN tag info
  */
 typedef struct {
-    /* dummy entry for SunPro compiler which doesn't like empty structs */    
-    int dummy;
+    u_char packet[MAXPACKET];
 } ieee80211_extra_t;
 
 /* 

src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c

@@ -117,8 +117,8 @@ dlt_jnpr_ether_init(tcpeditdlt_t *ctx)
     }
 
     /* allocate memory for our config data */
-    if (sizeof(jnpr_ether_config_t) > 0)
-        plugin->config = safe_malloc(sizeof(jnpr_ether_config_t));
+    plugin->config_size = sizeof(jnpr_ether_config_t);
+    plugin->config = safe_malloc(plugin->config_size);
 
     return TCPEDIT_OK; /* success */
 }
@@ -164,13 +164,15 @@ dlt_jnpr_ether_cleanup(tcpeditdlt_t *ctx)
     if (ctx->decoded_extra != NULL) {
         safe_free(ctx->decoded_extra);
         ctx->decoded_extra = NULL;
+        ctx->decoded_extra_size = 0;
     }
 
     if (plugin->config != NULL) {
         /* clean up the en10mb plugin */
         config = (jnpr_ether_config_t *)ctx->encoder->config;
         tcpedit_dlt_cleanup(config->subctx);
         plugin->config = NULL;
+        plugin->config_size = 0;
     }
 
     return TCPEDIT_OK; /* success */

src/tcpedit/plugins/dlt_linuxsll/linuxsll.c

@@ -103,14 +103,13 @@ dlt_linuxsll_init(tcpeditdlt_t *ctx)
         return TCPEDIT_ERROR;
     }
 
-    /* allocate memory for our deocde extra data */
-    if (sizeof(linuxsll_extra_t) > 0)
-        ctx->decoded_extra = safe_malloc(sizeof(linuxsll_extra_t));
+    /* allocate memory for our decode extra data */
+    ctx->decoded_extra_size = sizeof(linuxsll_extra_t);
+    ctx->decoded_extra = safe_malloc(ctx->decoded_extra_size);
 
     /* allocate memory for our config data */
-    if (sizeof(linuxsll_config_t) > 0)
-        plugin->config = safe_malloc(sizeof(linuxsll_config_t));
-
+    plugin->config_size = sizeof(linuxsll_config_t);
+    plugin->config = safe_malloc(plugin->config_size);
 
     return TCPEDIT_OK; /* success */
 }
@@ -135,11 +134,13 @@ dlt_linuxsll_cleanup(tcpeditdlt_t *ctx)
     if (ctx->decoded_extra != NULL) {
         safe_free(ctx->decoded_extra);
         ctx->decoded_extra = NULL;
+        ctx->decoded_extra_size = 0;
     }
 
     if (plugin->config != NULL) {
         safe_free(plugin->config);
         plugin->config = NULL;
+        plugin->config_size = 0;
     }
 
     return TCPEDIT_OK; /* success */

src/tcpedit/plugins/dlt_linuxsll/linuxsll_types.h

@@ -32,8 +32,7 @@ extern "C" {
  * Example: Ethernet VLAN tag info
  */
 typedef struct {
-    /* dummy entry for SunPro compiler which doesn't like empty structs */    
-    int dummy;
+    u_char packet[MAXPACKET];
 } linuxsll_extra_t;
 
 

src/tcpedit/plugins/dlt_null/null.c

@@ -140,11 +140,13 @@ dlt_null_cleanup(tcpeditdlt_t *ctx)
     if (ctx->decoded_extra != NULL) {
         safe_free(ctx->decoded_extra);
         ctx->decoded_extra = NULL;
+        ctx->decoded_extra_size = 0;
     }
 
     if (plugin->config != NULL) {
         safe_free(plugin->config);
         plugin->config = NULL;
+        plugin->config_size = 0;
     }
 
     return TCPEDIT_OK; /* success */

src/tcpedit/plugins/dlt_plugins.c

@@ -443,7 +443,7 @@ tcpedit_dlt_cleanup(tcpeditdlt_t *ctx)
 
     if (ctx->decoded_extra != NULL)
         safe_free(ctx->decoded_extra);
-        
+
     safe_free(ctx);
 }
 

src/tcpedit/plugins/dlt_pppserial/pppserial.c

@@ -162,11 +162,13 @@ dlt_pppserial_cleanup(tcpeditdlt_t *ctx)
     if (ctx->decoded_extra != NULL) {
         safe_free(ctx->decoded_extra);
         ctx->decoded_extra = NULL;
+        ctx->decoded_extra_size = 0;
     }
 
     if (plugin->config != NULL) {
         safe_free(plugin->config);
         plugin->config = NULL;
+        plugin->config_size = 0;
     }
 
     return TCPEDIT_OK; /* success */