OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 16-Apr-2004 15:04:43
Branch: OPENPKG_1_3_SOLID Handle: 2004041614044200
Modified files: (Branch: OPENPKG_1_3_SOLID)
openpkg-src/ethereal ethereal.patch ethereal.spec
Log:
add patchcode to remove vulnerabilities in protocol dissectors, RADIUS
packets, and color filter dialog as described in OpenPKG-SA-2004.015
(CAN-2004-0176 and CAN-2004-0365)
Summary:
Revision Changes Path
1.1.2.2.2.1 +937 -2 openpkg-src/ethereal/ethereal.patch
1.11.2.3.2.2+1 -1 openpkg-src/ethereal/ethereal.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/ethereal/ethereal.patch
============================================================================
$ cvs diff -u -r1.1.2.2 -r1.1.2.2.2.1 ethereal.patch
--- openpkg-src/ethereal/ethereal.patch 24 Jul 2003 20:49:29 -0000 1.1.2.2
+++ openpkg-src/ethereal/ethereal.patch 16 Apr 2004 13:04:42 -0000
1.1.2.2.2.1
@@ -1,3 +1,4 @@
+diff -Nau gtk/main.c.orig gtk/main.c
--- gtk/main.c.orig Mon Sep 30 08:59:51 2002
+++ gtk/main.c Mon Sep 30 08:59:38 2002
@@ -43,6 +43,7 @@
@@ -6,5 +7,939 @@
#include <ctype.h>
+#include <unistd.h>
- #ifdef HAVE_IO_H
- #include <io.h> /* open/close on win32 */
+ #ifdef HAVE_UNISTD_H
+ #include <unistd.h>
+diff -Nau Makefile.in.orig Makefile.in
+--- Makefile.in.orig 2003-12-13 18:12:49.000000000 +0100
++++ Makefile.in 2004-04-15 17:30:12.000000000 +0200
+@@ -2859,14 +2859,9 @@
+ # All subsequent arguments are the files to scan.
+ #
+ register.c: $(plugin_src) $(DISSECTOR_SRC) $(srcdir)/make-reg-dotc
+- @if test -n $(PYTHON); then \
+- echo Making register.c with python ; \
+- $(PYTHON) $(srcdir)/make-reg-dotc.py $(srcdir) $(DISSECTOR_SRC) ; \
+- else \
+- echo Making register.c with shell script ; \
+- $(srcdir)/make-reg-dotc register.c $(srcdir) \
+- $(plugin_src) $(DISSECTOR_SRC) ; \
+- fi
++ echo Making register.c with shell script ; \
++ $(srcdir)/make-reg-dotc register.c $(srcdir) \
++ $(plugin_src) $(DISSECTOR_SRC) ;
+
+ #
+ # Build "tethereal-tap-register.c", which contains a function
+diff -Nau gtk/color_filters.c.orig gtk/color_filters.c
+--- gtk/color_filters.c.orig 2004-04-14 16:08:36.133500000 +0200
++++ gtk/color_filters.c 2004-04-15 11:10:30.103952683 +0200
+@@ -30,6 +30,7 @@
+
+ #include <gtk/gtk.h>
+
++#include <ctype.h>
+ #include <string.h>
+
+ #include <epan/filesystem.h>
+@@ -47,7 +48,7 @@
+ static gboolean read_filters(void);
+ static gboolean read_global_filters(void);
+
+-GSList *filter_list;
++GSList *filter_list = NULL;
+
+ /* delete the specified filter */
+ void
+@@ -59,13 +60,12 @@
+ g_free(colorf->filter_text);
+ if (colorf->c_colorfilter != NULL)
+ dfilter_free(colorf->c_colorfilter);
+- filter_list = g_slist_remove(filter_list, colorf);
+ g_free(colorf);
+ }
+
+ /* delete the specified filter as an iterator*/
+ static void
+-delete_color_filter_it(gpointer filter_arg, gpointer ignored _U_)
++delete_color_filter_it(gpointer filter_arg, gpointer unused _U_)
+ {
+ color_filter_t *colorf = filter_arg;
+
+@@ -78,6 +78,8 @@
+ delete_all_color_filters (void)
+ {
+ g_slist_foreach(filter_list, delete_color_filter_it, NULL);
++ g_slist_free(filter_list);
++ filter_list = NULL;
+ }
+
+ /* Initialize the filter structures (reading from file) for general running,
including app startup */
+@@ -97,7 +99,7 @@
+ color_filter_t *colorf;
+ GtkStyle *style;
+
+- colorf = (color_filter_t *)g_malloc(sizeof (color_filter_t));
++ colorf = g_malloc(sizeof (color_filter_t));
+ colorf->filter_name = g_strdup(name);
+ colorf->filter_text = g_strdup(filter_string);
+ style = gtk_widget_get_style(packet_list);
+@@ -133,40 +135,109 @@
+ static gboolean
+ read_filters_file(gpointer file_arg)
+ {
+- /* TODO: Lots more syntax checking on the file */
+- /* I hate these fixed length names! TODO: make more dynamic */
+- /* XXX - buffer overflow possibility here
+- * sscanf blocks max size of name and filter_exp; buf is used for
+- * reading only */
+- gchar name[256],filter_exp[256], buf[1024];
++#define INIT_BUF_SIZE 128
++ gchar *name = NULL;
++ gchar *filter_exp = NULL;
++ guint32 name_len = INIT_BUF_SIZE;
++ guint32 filter_exp_len = INIT_BUF_SIZE;
++ guint32 i = 0;
++ gint32 c;
+ guint16 fg_r, fg_g, fg_b, bg_r, bg_g, bg_b;
+- GdkColor fg_color, bg_color;
+- color_filter_t *colorf;
+- dfilter_t *temp_dfilter;
+ FILE *f = file_arg;
++ gboolean skip_end_of_line = FALSE;
++
++ name = g_malloc(name_len + 1);
++ filter_exp = g_malloc(filter_exp_len + 1);
++
++ while (1) {
++
++ if (skip_end_of_line) {
++ do {
++ c = getc(f);
++ } while (c != EOF && c != '\n');
++ if (c == EOF)
++ break;
++ skip_end_of_line = FALSE;
++ }
++
++ while ((c = getc(f)) != EOF && isspace(c)) {
++ if (c == '\n') {
++ continue;
++ }
++ }
+
+- do {
+- if (fgets(buf,sizeof buf, f) == NULL)
++ if (c == EOF)
+ break;
+
+- if (strspn(buf," \t") == (size_t)((strchr(buf,'*') - buf))) {
+- /* leading # comment */
++ /* skip # comments and invalid lines */
++ if (c != '@') {
++ skip_end_of_line = TRUE;
+ continue;
+ }
+
+- /* we get the @ delimiter. It is not in any strings
++ /* we get the @ delimiter.
+ * Format is:
+ * @[EMAIL PROTECTED] [EMAIL PROTECTED] r,g,b][foreground r,g,b]
+ */
+- if (sscanf(buf," @[EMAIL PROTECTED]@[EMAIL
PROTECTED]@[%hu,%hu,%hu][%hu,%hu,%hu]",
+- name, filter_exp, &bg_r, &bg_g, &bg_b, &fg_r, &fg_g, &fg_b)
+- == 8) {
+- /* we got a filter */
++ /* retrieve name */
++ i = 0;
++ while (1) {
++ c = getc(f);
++ if (c == EOF || c == '@')
++ break;
++ if (i >= name_len) {
++ /* buffer isn't long enough; double its length.*/
++ name_len *= 2;
++ name = g_realloc(name, name_len + 1);
++ }
++ name[i++] = c;
++ }
++ name[i] = '\0';
++
++ if (c == EOF) {
++ break;
++ } else if (i == 0) {
++ skip_end_of_line = TRUE;
++ continue;
++ }
++
++ /* retrieve filter expression */
++ i = 0;
++ while (1) {
++ c = getc(f);
++ if (c == EOF || c == '@')
++ break;
++ if (i >= filter_exp_len) {
++ /* buffer isn't long enough; double its length.*/
++ filter_exp_len *= 2;
++ filter_exp = g_realloc(filter_exp, filter_exp_len + 1);
++ }
++ filter_exp[i++] = c;
++ }
++ filter_exp[i] = '\0';
++
++ if (c == EOF) {
++ break;
++ } else if (i == 0) {
++ skip_end_of_line = TRUE;
++ continue;
++ }
++
++ /* retrieve background and foreground colors */
++ if (fscanf(f,"[%hu,%hu,%hu][%hu,%hu,%hu]",
++ &bg_r, &bg_g, &bg_b, &fg_r, &fg_g, &fg_b) == 6) {
++
++ /* we got a complete color filter */
++
++ GdkColor fg_color, bg_color;
++ color_filter_t *colorf;
++ dfilter_t *temp_dfilter;
+
+ if (!dfilter_compile(filter_exp, &temp_dfilter)) {
+ simple_dialog(ESD_TYPE_CRIT, NULL,
+ "Could not compile color filter %s from saved filters.\n%s",
+ name, dfilter_error_msg);
++ skip_end_of_line = TRUE;
+ continue;
+ }
+ if (!get_color(&fg_color)) {
+@@ -175,6 +246,7 @@
+ "Could not allocate foreground color "
+ "specified in input file for %s.", name);
+ dfilter_free(temp_dfilter);
++ skip_end_of_line = TRUE;
+ continue;
+ }
+ if (!get_color(&bg_color)) {
+@@ -183,6 +255,7 @@
+ "Could not allocate background color "
+ "specified in input file for %s.", name);
+ dfilter_free(temp_dfilter);
++ skip_end_of_line = TRUE;
+ continue;
+ }
+
+@@ -198,19 +271,17 @@
+ gdkcolor_to_color_t(&colorf->bg_color, &bg_color);
+ gdkcolor_to_color_t(&colorf->fg_color, &fg_color);
+ } /* if sscanf */
++ skip_end_of_line = TRUE;
+ } while(!feof(f));
+ fclose(f);
++ g_free(name);
++ g_free(filter_exp);
+ return TRUE;
+ }
+ /* read filters from the user's filter file */
+ static gboolean
+ read_filters(void)
+ {
+- /* TODO: Lots more syntax checking on the file */
+- /* I hate these fixed length names! TODO: make more dynamic */
+- /* XXX - buffer overflow possibility here
+- * sscanf blocks max size of name and filter_exp; buf is used for
+- * reading only */
+ gchar *path;
+ FILE *f;
+
+@@ -222,10 +293,10 @@
+ "Could not open filter file\n\"%s\": %s.", path,
+ strerror(errno));
+ }
+- g_free((gchar *)path);
++ g_free(path);
+ return FALSE;
+ }
+- g_free((gchar *)path);
++ g_free(path);
+ path = NULL;
+
+ return read_filters_file(f);
+@@ -246,10 +317,10 @@
+ "Could not open global filter file\n\"%s\": %s.", path,
+ strerror(errno));
+ }
+- g_free((gchar *)path);
++ g_free(path);
+ return FALSE;
+ }
+- g_free((gchar *)path);
++ g_free(path);
+ path = NULL;
+
+ return read_filters_file(f);
+@@ -331,8 +402,12 @@
+ }
+
+ path = get_persconffile_path("colorfilters", TRUE);
+- if (!deletefile(path))
++ if (!deletefile(path)) {
++ g_free((gchar *)path);
+ return FALSE;
++ }
++
++ g_free((gchar *)path);
+
+ /* Reload the (global) filters - Note: this does not update the dialog. */
+ colfilter_init();
+diff -Nau gtk/color_filters.h.orig gtk/color_filters.h
+--- gtk/color_filters.h.orig 2003-05-17 18:33:02.000000000 +0200
++++ gtk/color_filters.h 2004-04-15 12:29:27.180473106 +0200
+@@ -24,10 +24,6 @@
+ #ifndef __COLOR_FILTERS_H__
+ #define __COLOR_FILTERS_H__
+
+-#define MAXCOLORS 255
+-#define MAX_COLOR_FILTER_NAME_LEN 33
+-#define MAX_COLOR_FILTER_STRING_LEN 256
+-
+ #define CFILTERS_CONTAINS_FILTER(filter) \
+ ((filter)->num_of_filters != 0)
+
+diff -Nau packet-bgp.c.orig packet-bgp.c
+--- packet-bgp.c.orig 2003-06-05 05:19:27.000000000 +0200
++++ packet-bgp.c 2004-04-14 17:18:16.239727753 +0200
+@@ -370,7 +370,7 @@
+
+ /* snarf length */
+ plen = tvb_get_guint8(tvb, offset);
+- if (plen > 32) {
++ if (plen > 32 || plen == 0) {
+ proto_tree_add_text(tree, tvb, offset, 1, "%s length %u invalid",
+ tag, plen);
+ return -1;
+@@ -415,7 +415,7 @@
+
+ /* snarf length */
+ plen = tvb_get_guint8(tvb, offset);
+- if (plen > 128) {
++ if (plen > 128 || plen == 0) {
+ proto_tree_add_text(tree, tvb, offset, 1, "%s length %u invalid",
+ tag, plen);
+ return -1;
+@@ -451,7 +451,7 @@
+ * Decode an MPLS label stack
+ * XXX - Should we convert "buf" to a GString?
+ */
+-static int
++static gint
+ decode_MPLS_stack(tvbuff_t *tvb, gint offset, char *buf, size_t buflen)
+ {
+ guint32 label_entry; /* an MPLS label enrty (label + COS field + stack
bit */
+@@ -553,6 +553,7 @@
+ case SAFNUM_UNICAST:
+ case SAFNUM_MULCAST:
+ case SAFNUM_UNIMULC:
++ case SAFNUM_MPLS_LABEL:
+ length = 16 ;
+ tvb_memcpy(tvb, ip6addr.u6_addr.u6_addr8,offset, 16);
+ g_string_sprintf(buf, "%s", ip6_to_str(&ip6addr));
+@@ -627,8 +628,8 @@
+ proto_tree *prefix_tree;
+ int total_length; /* length of the entire item */
+ int length; /* length of the prefix address, in
bytes */
+- guint8 plen; /* length of the prefix address, in
bits */
+- int labnum; /* number of labels */
++ guint plen; /* length of the prefix address, in
bits */
++ guint labnum; /* number of labels */
+ int ce_id,labblk_off;
+ union {
+ guint8 addr_bytes[4];
+@@ -662,7 +663,7 @@
+ return -1;
+ }
+ plen -= (labnum * 3*8);
+- if (plen > 32) {
++ if (plen > 32 || plen == 0) {
+ proto_tree_add_text(tree, tvb, start_offset, 1,
+ "%s IPv4 prefix length %u invalid",
+ tag, plen + (labnum * 3*8));
+@@ -717,7 +718,7 @@
+ switch (rd_type) {
+
+ case FORMAT_AS2_LOC: /* Code borrowed from the decode_prefix4 function
*/
+- if (plen > 32) {
++ if (plen > 32 || plen == 0) {
+ proto_tree_add_text(tree, tvb, start_offset, 1,
+ "%s IPv4 prefix length %u invalid",
+ tag, plen + (labnum * 3*8) + 8*8);
+@@ -752,7 +753,7 @@
+ case FORMAT_IP_LOC: /* Code borrowed from the decode_prefix4 function
*/
+ tvb_memcpy(tvb, ip4addr.addr_bytes, offset + 2, 4);
+
+- if (plen > 32) {
++ if (plen > 32 || plen == 0) {
+ proto_tree_add_text(tree, tvb, start_offset, 1,
+ "%s IPv4 prefix length %u invalid",
+ tag, plen + (labnum * 3*8) + 8*8);
+@@ -802,6 +803,38 @@
+ return -1;
+ break;
+
++ case SAFNUM_MPLS_LABEL:
++ plen = tvb_get_guint8(tvb, offset);
++ labnum = decode_MPLS_stack(tvb, offset + 1, lab_stk, sizeof(lab_stk));
++
++ offset += (1 + labnum * 3);
++ if (plen <= (labnum * 3*8)) {
++ proto_tree_add_text(tree, tvb, start_offset, 1,
++ "%s IPv6 prefix length %u invalid", tag, plen);
++ return -1;
++ }
++ plen -= (labnum * 3*8);
++
++ if (plen > 128 || plen == 0) {
++ proto_tree_add_text(tree, tvb, start_offset, 1,
++ "%s IPv6 prefix length %u invalid", tag, plen);
++ return -1;
++ }
++
++ length = (plen + 7) / 8;
++ memset(ip6addr.u6_addr.u6_addr8, 0, 16);
++ tvb_memcpy(tvb, ip6addr.u6_addr.u6_addr8, offset, length);
++ if (plen % 8)
++ ip6addr.u6_addr.u6_addr8[length - 1] &= ((0xff00 >> (plen % 8)) &
0xff);
++
++ ti = proto_tree_add_text(tree, tvb, start_offset,
++ (offset + length) - start_offset,
++ "Label Stack=%s, IP=%s/%u",
++ lab_stk,
++ ip6_to_str(&ip6addr), plen);
++ total_length = (1 + labnum * 3) + length;
++ break;
++
+ case SAFNUM_LAB_VPNUNICAST:
+ case SAFNUM_LAB_VPNMULCAST:
+ case SAFNUM_LAB_VPNUNIMULC:
+@@ -828,7 +861,7 @@
+ switch (rd_type) {
+
+ case FORMAT_AS2_LOC:
+- if (plen > 128) {
++ if (plen > 128 || plen == 0) {
+ proto_tree_add_text(tree, tvb, start_offset, 1,
+ "%s IPv6 prefix length %u invalid",
+ tag, plen + (labnum * 3*8) + 8*8);
+@@ -854,7 +887,7 @@
+ case FORMAT_IP_LOC:
+ tvb_memcpy(tvb, ip4addr.addr_bytes, offset + 2, 4);
+
+- if (plen > 128) {
++ if (plen > 128 || plen == 0) {
+ proto_tree_add_text(tree, tvb, start_offset, 1,
+ "%s IPv6 prefix length %u invalid",
+ tag, plen + (labnum * 3*8) + 8*8);
+diff -Nau packet-eigrp.c.orig packet-eigrp.c
+--- packet-eigrp.c.orig 2002-08-29 02:39:52.000000000 +0200
++++ packet-eigrp.c 2004-04-14 17:18:16.241179220 +0200
+@@ -312,12 +312,22 @@
+ proto_tree_add_text (tree,tvb,17,1,"Load = %u",tvb_get_guint8(tvb,17));
+ proto_tree_add_text (tree,tvb,18,2,"Reserved ");
+ length=tvb_get_guint8(tvb,20);
++ if (length > 32) {
++ proto_tree_add_text (tree,tvb,20,1,"Prefix length = %u (invalid, must be
<= 32)",length);
++ proto_item_append_text (ti," [Invalid prefix length %u > 32]",length);
++ } else if (length == 0) {
++ proto_tree_add_text (tree,tvb,20,1,"Prefix length = %u (invalid, must be >
0)",length);
++ proto_item_append_text (ti," [Invalid prefix length %u]",length);
++ } else {
+ proto_tree_add_text (tree,tvb,20,1,"Prefix Length = %u",length);
+- if (length % 8 == 0) addr_len=length/8 ; else addr_len=length/8+1;
++ addr_len=(length+7)/8;
+ ip_addr[0]=ip_addr[1]=ip_addr[2]=ip_addr[3]=0;
+ tvb_memcpy(tvb,ip_addr,21,addr_len);
++ if (length%8)
++ ip_addr[addr_len - 1] &= ((0xff00 >> (length % 8)) & 0xff);
+ proto_tree_add_text (tree,tvb,21,addr_len,"Destination =
%s",ip_to_str(ip_addr));
+ proto_item_append_text (ti," =
%s/%u%s",ip_to_str(ip_addr),length,((tvb_get_ntohl(tvb,4)==0xffffffff)?" - Destination
unreachable":""));
++ }
+ }
+
+ static void dissect_eigrp_ip_ext (tvbuff_t *tvb, proto_tree *tree, proto_item *ti)
+@@ -342,12 +352,22 @@
+ proto_tree_add_text (tree,tvb,37,1,"Load = %u",tvb_get_guint8(tvb,37));
+ proto_tree_add_text (tree,tvb,38,2,"Reserved ");
+ length=tvb_get_guint8(tvb,40);
++ if (length > 32) {
++ proto_tree_add_text (tree,tvb,40,1,"Prefix length = %u (invalid, must be
<= 32)",length);
++ proto_item_append_text (ti," [Invalid prefix length %u > 32]",length);
++ } else if (length == 0) {
++ proto_tree_add_text (tree,tvb,40,1,"Prefix length = %u (invalid, must be >
0)",length);
++ proto_item_append_text (ti," [Invalid prefix length %u]",length);
++ } else {
+ proto_tree_add_text (tree,tvb,40,1,"Prefix Length = %u",length);
+- if (length % 8 == 0) addr_len=length/8 ; else addr_len=length/8+1;
++ addr_len=(length+7)/8;
+ ip_addr[0]=ip_addr[1]=ip_addr[2]=ip_addr[3]=0;
+ tvb_memcpy(tvb,ip_addr,41,addr_len);
++ if (length%8)
++ ip_addr[addr_len - 1] &= ((0xff00 >> (length % 8)) & 0xff);
+ proto_tree_add_text (tree,tvb,41,addr_len,"Destination =
%s",ip_to_str(ip_addr));
+- proto_item_append_text (ti," =
%s/%u%s",ip_to_str(ip_addr),length,((tvb_get_ntohl(tvb,24)==0xffffffff)?" -
Destination unreachable":""));
++ proto_item_append_text (ti," =
%s/%u%s",ip_to_str(ip_addr),length,((tvb_get_ntohl(tvb,4)==0xffffffff)?" - Destination
unreachable":""));
++ }
+ }
+
+
+diff -Nau packet-netflow.c.orig packet-netflow.c
+--- packet-netflow.c.orig 2003-03-08 03:40:30.000000000 +0100
++++ packet-netflow.c 2004-04-14 17:18:16.243223207 +0200
+@@ -122,7 +122,6 @@
+ };
+
+ /* Version 9 template cache structures */
+-#define V9TEMPLATE_MAX_ENTRIES 64
+ #define V9TEMPLATE_CACHE_MAX_ENTRIES 100
+
+ struct v9_template_entry {
+@@ -136,7 +135,7 @@
+ guint32 length;
+ guint32 source_id;
+ guint32 source_addr;
+- struct v9_template_entry entries[V9TEMPLATE_MAX_ENTRIES];
++ struct v9_template_entry *entries;
+ };
+
+ static struct v9_template v9_template_cache[V9TEMPLATE_CACHE_MAX_ENTRIES];
+@@ -1160,6 +1159,7 @@
+ template.count = count;
+ template.source_addr = 0; /* XXX */
+ template.source_id = 0; /* XXX */
++ template.entries = g_malloc(count * sizeof(struct v9_template_entry));
+ tvb_memcpy(tvb, (guint8 *)template.entries, offset,
+ count * sizeof(struct v9_template_entry));
+ v9_template_add(&template);
+@@ -1368,6 +1368,22 @@
+ return (ip_to_str((const guint8 *)&gprefix));
+ }
+
++
++static void
++netflow_reinit(void)
++{
++ int i;
++
++ /*
++ * Clear out the template cache.
++ * Free the table of fields for each entry, and then zero out
++ * the cache.
++ */
++ for (i = 0; i < V9TEMPLATE_CACHE_MAX_ENTRIES; i++)
++ g_free(v9_template_cache[i].entries);
++ memset(v9_template_cache, 0, sizeof v9_template_cache);
++}
++
+ void
+ proto_register_netflow(void)
+ {
+@@ -1709,7 +1725,7 @@
+ "NetFlow UDP Port", "Set the port for NetFlow messages",
+ 10, &global_netflow_udp_port);
+
+- register_dissector("cflow", dissect_netflow, proto_netflow);
++ register_init_routine(&netflow_reinit);
+ }
+
+
+diff -Nau packet-pgm.c.orig packet-pgm.c
+--- packet-pgm.c.orig 2003-03-12 05:04:13.000000000 +0100
++++ packet-pgm.c 2004-04-14 17:18:16.246743589 +0200
+@@ -596,11 +596,25 @@
+ proto_tree *opt_tree = NULL;
+ pgm_opt_length_t opts;
+ pgm_opt_generic_t genopts;
+- int theend = 0, firsttime = 1;
++ gboolean theend = FALSE, firsttime = TRUE;
+
+ tvb_memcpy(tvb, (guint8 *)&opts, offset, sizeof(opts));
++ if (opts.type != PGM_OPT_LENGTH) {
++ proto_tree_add_text(tree, tvb, offset, 1,
++ "%s Options - initial option is %s, should be %s",
++ pktname,
++ val_to_str(opts.type, opt_vals, "Unknown (0x%02x)"),
++ val_to_str(PGM_OPT_LENGTH, opt_vals, "Unknown (0x%02x)"));
++ return;
++ }
+ opts.total_len = g_ntohs(opts.total_len);
+
++ if (opts.total_len < 4) {
++ proto_tree_add_text(opts_tree, tvb, offset, 4,
++ "%s Options (Total Length %u - invalid, must be >= 4)",
++ pktname, opts.total_len);
++ return;
++ }
+ tf = proto_tree_add_text(tree, tvb, offset,
+ opts.total_len,
+ "%s Options (Total Length %d)", pktname, opts.total_len);
+@@ -613,35 +627,61 @@
+ offset+2, 2, opts.total_len);
+
+ offset += 4;
+- for (opts.total_len -= 4; opts.total_len > 0;){
++ for (opts.total_len -= 4; !theend && opts.total_len != 0;){
++ if (opts.total_len < 4) {
++ proto_tree_add_text(opts_tree, tvb, offset, opts.total_len,
++ "Remaining total options length doesn't have enough for an
options header");
++ break;
++ }
+ tvb_memcpy(tvb, (guint8 *)&genopts, offset, sizeof(genopts));
+ if (genopts.type & PGM_OPT_END) {
+ genopts.type &= ~PGM_OPT_END;
+- theend = 1;
++ theend = TRUE;
++ }
++ if (genopts.len < 4) {
++ proto_tree_add_text(opts_tree, tvb, offset, genopts.len,
++ "Option: %s, Length: %u (invalid, must be >= 4)",
++ val_to_str(genopts.type, opt_vals, "Unknown (0x%02x)"),
++ genopts.len);
++ break;
++ }
++ if (opts.total_len < genopts.len) {
++ proto_tree_add_text(opts_tree, tvb, offset, genopts.len,
++ "Option: %s, Length: %u (> remaining total options
length)",
++ val_to_str(genopts.type, opt_vals, "Unknown (0x%02x)"),
++ genopts.len);
++ break;
+ }
+ tf = proto_tree_add_text(opts_tree, tvb, offset, genopts.len,
+ "Option: %s, Length: %u",
+ val_to_str(genopts.type, opt_vals, "Unknown (0x%02x)"),
+ genopts.len);
+- if (genopts.len == 0)
+- break;
+
+ switch(genopts.type) {
+ case PGM_OPT_JOIN:{
+ pgm_opt_join_t optdata;
+
+- tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
+ opt_tree = proto_item_add_subtree(tf, ett_pgm_opts_join);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_type,
+ tvb, offset, 1, genopts.type);
+
++ if (genopts.len < sizeof optdata) {
++ proto_tree_add_uint_format(opt_tree,
hf_pgm_genopt_len, tvb,
++ offset+1, 1, genopts.len,
++ "Length: %u (bogus, must be >= %lu)",
++ genopts.len,
++ (unsigned long)sizeof optdata);
++ break;
++ }
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_len, tvb,
+ offset+1, 1, genopts.len);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_opx, tvb,
+ offset+2, 1, genopts.opx);
+
++ tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
++
+ proto_tree_add_uint(opt_tree, hf_pgm_opt_join_res, tvb,
+ offset+3, 1, optdata.res);
+
+@@ -653,18 +693,27 @@
+ case PGM_OPT_PARITY_PRM:{
+ pgm_opt_parity_prm_t optdata;
+
+- tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
+ opt_tree = proto_item_add_subtree(tf, ett_pgm_opts_parityprm);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_type,
+ tvb, offset, 1, genopts.type);
+
++ if (genopts.len < sizeof optdata) {
++ proto_tree_add_uint_format(opt_tree,
hf_pgm_genopt_len, tvb,
++ offset+1, 1, genopts.len,
++ "Length: %u (bogus, must be >= %lu)",
++ genopts.len,
++ (unsigned long) sizeof optdata);
++ break;
++ }
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_len, tvb,
+ offset+1, 1, genopts.len);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_opx,
+ tvb, offset+2, 1, genopts.opx);
+
++ tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
++
+ proto_tree_add_uint_format(opt_tree, hf_pgm_opt_parity_prm_po,
tvb,
+ offset+3, 1, optdata.po, "Parity Parameters: %s
(0x%x)",
+ paritystr(optdata.po), optdata.po);
+@@ -677,18 +726,27 @@
+ case PGM_OPT_PARITY_GRP:{
+ pgm_opt_parity_grp_t optdata;
+
+- tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
+ opt_tree = proto_item_add_subtree(tf, ett_pgm_opts_paritygrp);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_type,
+ tvb, offset, 1, genopts.type);
+
++ if (genopts.len < sizeof optdata) {
++ proto_tree_add_uint_format(opt_tree,
hf_pgm_genopt_len, tvb,
++ offset+1, 1, genopts.len,
++ "Length: %u (bogus, must be >= %lu)",
++ genopts.len,
++ (unsigned long) sizeof optdata);
++ break;
++ }
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_len, tvb,
+ offset+1, 1, genopts.len);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_opx,
+ tvb, offset+2, 1, genopts.opx);
+
++ tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
++
+ proto_tree_add_uint(opt_tree, hf_pgm_opt_parity_grp_res, tvb,
+ offset+3, 1, optdata.res);
+
+@@ -703,18 +761,27 @@
+ char nakbuf[8192], *ptr;
+ int i, j, naks, soffset = 0;
+
+- tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
+ opt_tree = proto_item_add_subtree(tf, ett_pgm_opts_naklist);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_type, tvb,
+ offset, 1, genopts.type);
+
++ if (genopts.len < sizeof optdata) {
++ proto_tree_add_uint_format(opt_tree,
hf_pgm_genopt_len, tvb,
++ offset+1, 1, genopts.len,
++ "Length: %u (bogus, must be >= %lu)",
++ genopts.len,
++ (unsigned long) sizeof optdata);
++ break;
++ }
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_len, tvb,
+ offset+1, 1, genopts.len);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_opx,
+ tvb, offset+2, 1, genopts.opx);
+
++ tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
++
+ proto_tree_add_uint(opt_tree, hf_pgm_opt_nak_res, tvb,
+ offset+3, 1, optdata.res);
+
+@@ -742,7 +809,7 @@
+ nakbuf, "List: %s", nakbuf);
+ soffset = 0;
+ }
+- firsttime = 0;
++ firsttime = FALSE;
+ }
+ }
+ if (soffset) {
+@@ -763,18 +830,27 @@
+ case PGM_OPT_PGMCC_DATA:{
+ pgm_opt_pgmcc_data_t optdata;
+
+- tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
+ opt_tree = proto_item_add_subtree(tf, ett_pgm_opts_ccdata);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_type,
+ tvb, offset, 1, genopts.type);
+
++ if (genopts.len < sizeof optdata) {
++ proto_tree_add_uint_format(opt_tree,
hf_pgm_genopt_len, tvb,
++ offset+1, 1, genopts.len,
++ "Length: %u (bogus, must be >= %lu)",
++ genopts.len,
++ (unsigned long) sizeof optdata);
++ break;
++ }
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_len, tvb,
+ offset+1, 1, genopts.len);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_opx,
+ tvb, offset+2, 1, genopts.opx);
+
++ tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
++
+ proto_tree_add_uint(opt_tree, hf_pgm_opt_ccdata_res, tvb,
+ offset+3, 1, optdata.res);
+
+@@ -812,18 +888,27 @@
+ case PGM_OPT_PGMCC_FEEDBACK:{
+ pgm_opt_pgmcc_feedback_t optdata;
+
+- tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
+ opt_tree = proto_item_add_subtree(tf, ett_pgm_opts_ccdata);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_type,
+ tvb, offset, 1, genopts.type);
+
++ if (genopts.len < sizeof optdata) {
++ proto_tree_add_uint_format(opt_tree,
hf_pgm_genopt_len, tvb,
++ offset+1, 1, genopts.len,
++ "Length: %u (bogus, must be >= %lu)",
++ genopts.len,
++ (unsigned long) sizeof optdata);
++ break;
++ }
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_len, tvb,
+ offset+1, 1, genopts.len);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_opx,
+ tvb, offset+2, 1, genopts.opx);
+
++ tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
++
+ proto_tree_add_uint(opt_tree, hf_pgm_opt_ccfeedbk_res, tvb,
+ offset+3, 1, optdata.res);
+
+@@ -861,18 +946,27 @@
+ case PGM_OPT_NAK_BO_IVL:{
+ pgm_opt_nak_bo_ivl_t optdata;
+
+- tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
+ opt_tree = proto_item_add_subtree(tf, ett_pgm_opts_nak_bo_ivl);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_type,
+ tvb, offset, 1, genopts.type);
+
++ if (genopts.len < sizeof optdata) {
++ proto_tree_add_uint_format(opt_tree,
hf_pgm_genopt_len, tvb,
++ offset+1, 1, genopts.len,
++ "Length: %u (bogus, must be >= %lu)",
++ genopts.len,
++ (unsigned long) sizeof optdata);
++ break;
++ }
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_len, tvb,
+ offset+1, 1, genopts.len);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_opx, tvb,
+ offset+2, 1, genopts.opx);
+
++ tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
++
+ proto_tree_add_uint(opt_tree, hf_pgm_opt_nak_bo_ivl_res, tvb,
+ offset+3, 1, optdata.res);
+
+@@ -887,7 +981,6 @@
+ case PGM_OPT_NAK_BO_RNG:{
+ pgm_opt_nak_bo_rng_t optdata;
+
+- tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
+ opt_tree = proto_item_add_subtree(tf, ett_pgm_opts_nak_bo_rng);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_type,
+@@ -896,12 +989,22 @@
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_len, tvb,
+ offset+1, 1, genopts.len);
+
++ if (genopts.len < sizeof optdata) {
++ proto_tree_add_uint_format(opt_tree,
hf_pgm_genopt_len, tvb,
++ offset+1, 1, genopts.len,
++ "Length: %u (bogus, must be >= %lu)",
++ genopts.len,
++ (unsigned long) sizeof optdata);
++ break;
++ }
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_opx, tvb,
+ offset+2, 1, genopts.opx);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_opt_nak_bo_rng_res, tvb,
+ offset+3, 1, optdata.res);
+
++ tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
++
+ proto_tree_add_uint(opt_tree,
hf_pgm_opt_nak_bo_rng_min_bo_ivl, tvb,
+ offset+4, 4, g_ntohl(optdata.min_bo_ivl));
+
+@@ -913,18 +1016,27 @@
+ case PGM_OPT_REDIRECT:{
+ pgm_opt_redirect_t optdata;
+
+- tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
+ opt_tree = proto_item_add_subtree(tf, ett_pgm_opts_redirect);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_type,
+ tvb, offset, 1, genopts.type);
+
++ if (genopts.len < sizeof optdata) {
++ proto_tree_add_uint_format(opt_tree,
hf_pgm_genopt_len, tvb,
++ offset+1, 1, genopts.len,
++ "Length: %u (bogus, must be >= %lu)",
++ genopts.len,
++ (unsigned long) sizeof optdata);
++ break;
++ }
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_len, tvb,
+ offset+1, 1, genopts.len);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_opx,
+ tvb, offset+2, 1, genopts.opx);
+
++ tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
++
+ proto_tree_add_uint(opt_tree, hf_pgm_opt_redirect_res, tvb,
+ offset+3, 1, optdata.res);
+
+@@ -959,18 +1071,27 @@
+ case PGM_OPT_FRAGMENT:{
+ pgm_opt_fragment_t optdata;
+
+- tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
+ opt_tree = proto_item_add_subtree(tf, ett_pgm_opts_fragment);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_type,
+ tvb, offset, 1, genopts.type);
+
++ if (genopts.len < sizeof optdata) {
++ proto_tree_add_uint_format(opt_tree,
hf_pgm_genopt_len, tvb,
++ offset+1, 1, genopts.len,
++ "Length: %u (bogus, must be >= %lu)",
++ genopts.len,
++ (unsigned long) sizeof optdata);
++ break;
++ }
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_len, tvb,
+ offset+1, 1, genopts.len);
+
+ proto_tree_add_uint(opt_tree, hf_pgm_genopt_opx, tvb,
+ offset+2, 1, genopts.opx);
+
++ tvb_memcpy(tvb, (guint8 *)&optdata, offset, sizeof(optdata));
++
+ proto_tree_add_uint(opt_tree, hf_pgm_opt_fragment_res, tvb,
+ offset+3, 1, optdata.res);
+
+diff -Nau packet-radius.c.orig packet-radius.c
+--- packet-radius.c.orig 2003-07-19 16:48:57.000000000 +0200
++++ packet-radius.c 2004-04-15 10:54:39.670423128 +0200
+@@ -2789,6 +2789,7 @@
+ guint8 *reassembled_data = NULL;
+ int reassembled_data_len = 0;
+ int data_needed = 0;
++ char *attr_info_str = "(Invalid)";
+
+ if (avplength==0)
+ {
+@@ -2813,9 +2814,12 @@
+ * fields, so it must be >= 2.
+ */
+ if (tree) {
++ if (avptpstrval) {
++ attr_info_str = avptpstrval;
++ }
+ proto_tree_add_text(tree, tvb, offset, avph.avp_length,
+ "t:%s(%u) l:%u (length not >= 2)",
+- avptpstrval, avph.avp_type, avph.avp_length);
++ attr_info_str, avph.avp_type, avph.avp_length);
+ }
+ break;
+ }
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/ethereal/ethereal.spec
============================================================================
$ cvs diff -u -r1.11.2.3.2.1 -r1.11.2.3.2.2 ethereal.spec
--- openpkg-src/ethereal/ethereal.spec 29 Jul 2003 14:58:48 -0000
1.11.2.3.2.1
+++ openpkg-src/ethereal/ethereal.spec 16 Apr 2004 13:04:42 -0000
1.11.2.3.2.2
@@ -33,7 +33,7 @@
Group: Network
License: GPL
Version: 0.9.14
-Release: 1.3.0
+Release: 1.3.1
# package options
%option with_zlib no
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
