Do bounds checking on references to the bids array.

Addresses GitHub issue #484.

diff --git a/Makefile.in b/Makefile.in
index 8bd95e35bc7203244eef160aa0e889b81e14dc25..0f2c9c6a16df635c2124a76d73699eab897d62cd 100644 (file)
--- a/Makefile.in
+++ b/Makefile.in
@@ -133,6 +133,7 @@ HDR = $(PUBHDR) \
        llc.h \
        nametoaddr.h \
        nlpid.h \
+       optimize.h \
        pcap-common.h \
        pcap-int.h \
        pcap-rpcap.h \

diff --git a/bpf_dump.c b/bpf_dump.c
index b59d60738f21eb5beb581c42a62cad4cb58ca538..a9c91169fbbba792059b30f6e68ad17c099cc1b8 100644 (file)
--- a/bpf_dump.c
+++ b/bpf_dump.c
@@ -26,6 +26,8 @@
 #include <pcap.h>
 #include <stdio.h>
 
+#include "optimize.h"
+
 void
 bpf_dump(const struct bpf_program *p, int option)
 {
@@ -50,8 +52,7 @@ bpf_dump(const struct bpf_program *p, int option)
        }
        for (i = 0; i < n; ++insn, ++i) {
 #ifdef BDEBUG
-               extern int bids[];
-               if (bids[i] > 0)
+               if (i < NBIDS && bids[i] > 0)
                        printf("[%02d]", bids[i] - 1);
                else
                        printf(" -- ");

diff --git a/optimize.c b/optimize.c
index 13dd207a50a83a700120e8a5ab9c5e0896540afe..b3890394705c6ff4f5b32b13c0b516f04f042f41 100644 (file)
--- a/optimize.c
+++ b/optimize.c
@@ -37,6 +37,7 @@
 #include "pcap-int.h"
 
 #include "gencode.h"
+#include "optimize.h"
 
 #ifdef HAVE_OS_PROTO_H
 #include "os-proto.h"
@@ -2062,7 +2063,7 @@ opt_init(compiler_state_t *cstate, opt_state_t *opt_state, struct icode *ic)
  * and expect it to provide meaningful information.
  */
 #ifdef BDEBUG
-int bids[1000];
+int bids[NBIDS];
 #endif
 
 /*
@@ -2190,7 +2191,8 @@ filled:
                free(offset);
 
 #ifdef BDEBUG
-       bids[dst - conv_state->fstart] = p->id + 1;
+       if (dst - conv_state->fstart < NBIDS)
+               bids[dst - conv_state->fstart] = p->id + 1;
 #endif
        dst->code = (u_short)p->s.code;
        dst->k = p->s.k;

diff --git a/optimize.h b/optimize.h
new file mode 100644 (file)
index 0000000..d8f646c
--- /dev/null
+++ b/optimize.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996
+ *     The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+/*
+ * Some stuff for use when debugging the optimizer.
+ */
+#ifdef BDEBUG
+extern int pcap_optimizer_debug;       /* optimizer debugging level */
+
+#define NBIDS  1000
+extern int bids[NBIDS];
+#endif

diff --git a/pcap.c b/pcap.c
index 1c304ad0f49019c1429d0a85f5ba499001e380c0..64d64ed75d455fb23880153e8d33a6e227b9ffbe 100644 (file)
--- a/pcap.c
+++ b/pcap.c
@@ -78,6 +78,8 @@ struct rtentry;               /* declarations in <net/if.h> */
 
 #include "pcap-int.h"
 
+#include "optimize.h"
+
 #ifdef HAVE_DAG_API
 #include "pcap-dag.h"
 #endif /* HAVE_DAG_API */
@@ -3928,8 +3930,6 @@ PCAP_API void pcap_set_optimizer_debug(int value);
 PCAP_API_DEF void
 pcap_set_optimizer_debug(int value)
 {
-       extern int pcap_optimizer_debug;
-
        pcap_optimizer_debug = value;
 }
 #endif