From: guy <guy>
Date: Mon, 15 Jan 2001 03:59:13 +0000 (+0000)
Subject: Do some additional bounds checking when dissecting SMB packets.
X-Git-Tag: tcpdump-3.7.1~302
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/0056894f4eb61e343fe4badaf52843dd6461bc44

Do some additional bounds checking when dissecting SMB packets.
---

diff --git a/interface.h b/interface.h
index 1ef06e5c..43d31e21 100644
--- a/interface.h
+++ b/interface.h
@@ -18,7 +18,7 @@
  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * @(#) $Header: /tcpdump/master/tcpdump/interface.h,v 1.150 2001-01-15 03:23:58 guy Exp $ (LBL)
+ * @(#) $Header: /tcpdump/master/tcpdump/interface.h,v 1.151 2001-01-15 03:59:13 guy Exp $ (LBL)
  */
 
 #ifndef tcpdump_interface_h
@@ -252,7 +252,7 @@ extern int esp_print(register const u_char *, register const u_char *, int *);
 extern void isakmp_print(const u_char *, u_int, const u_char *);
 extern int ipcomp_print(register const u_char *, register const u_char *, int *);
 extern void rx_print(register const u_char *, int, int, int, u_char *);
-extern void netbeui_print(u_short, const u_char *, const u_char *);
+extern void netbeui_print(u_short, const u_char *, int);
 extern void ipx_netbios_print(const u_char *, u_int);
 extern void nbt_tcp_print(const u_char *, int);
 extern void nbt_udp137_print(const u_char *data, int);
diff --git a/print-llc.c b/print-llc.c
index 2d49d618..4557c4f0 100644
--- a/print-llc.c
+++ b/print-llc.c
@@ -24,7 +24,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /tcpdump/master/tcpdump/print-llc.c,v 1.34 2001-01-15 03:24:00 guy Exp $";
+    "@(#) $Header: /tcpdump/master/tcpdump/print-llc.c,v 1.35 2001-01-15 03:59:13 guy Exp $";
 #endif
 
 #ifdef HAVE_CONFIG_H
@@ -164,7 +164,7 @@ llc_print(const u_char *p, u_int length, u_int caplen,
 			length -= 2;
 			caplen -= 2;
 		}
-		netbeui_print(control, p, p + min(caplen, length));
+		netbeui_print(control, p, length);
 		return (1);
 	}
 	if (llc.ssap == LLCSAP_ISONS && llc.dsap == LLCSAP_ISONS
diff --git a/print-smb.c b/print-smb.c
index f3002e09..debcb654 100644
--- a/print-smb.c
+++ b/print-smb.c
@@ -11,7 +11,7 @@
 
 #ifndef lint
 static const char rcsid[] =
-     "@(#) $Header: /tcpdump/master/tcpdump/print-smb.c,v 1.8 2001-01-15 03:24:00 guy Exp $";
+     "@(#) $Header: /tcpdump/master/tcpdump/print-smb.c,v 1.9 2001-01-15 03:59:14 guy Exp $";
 #endif
 
 #include <stdio.h>
@@ -918,8 +918,10 @@ out:
 void nbt_udp138_print(const uchar *data, int length)
 {
   const uchar *maxbuf = data + length;
-  startbuf = data;
+
+  if (maxbuf > snapend) maxbuf = snapend;
   if (maxbuf <= data) return;
+  startbuf = data;
 
   data = fdata(data,"\n>>> NBT UDP PACKET(138) Res=[rw] ID=[rw] IP=[b.b.b.b] Port=[rd] Length=[rd] Res2=[rw]\nSourceName=[n1]\nDestName=[n1]\n#",maxbuf);
 
@@ -935,13 +937,21 @@ void nbt_udp138_print(const uchar *data, int length)
 /*
    print netbeui frames 
 */
-void netbeui_print(u_short control, const uchar *data, const uchar *maxbuf)
+void netbeui_print(u_short control, const uchar *data, int length)
 {
-  int len = SVAL(data,0);
-  int command = CVAL(data,4);
-  const uchar *data2 = data + len;
+  const uchar *maxbuf = data + length;
+  int len;
+  int command;
+  const uchar *data2;
   int is_truncated = 0;
 
+  if (maxbuf > snapend)
+    maxbuf = snapend;
+  if (&data[7] >= maxbuf)
+    goto out;
+  len = SVAL(data,0);
+  command = CVAL(data,4);
+  data2 = data + len;
   if (data2 >= maxbuf) {
     data2 = maxbuf;
     is_truncated = 1;
@@ -1004,7 +1014,7 @@ void netbeui_print(u_short control, const uchar *data, const uchar *maxbuf)
   }
 
   /* If there isn't enough data for "\377SMB", don't look for it. */
-  if (!TTEST2(data2[3], 4))
+  if (&data2[3] >= maxbuf)
     goto out;
 
   if (memcmp(data2,"\377SMB",4)==0) {
@@ -1012,8 +1022,6 @@ void netbeui_print(u_short control, const uchar *data, const uchar *maxbuf)
   } else {
     int i;
     for (i=0;i<128;i++) {
-      if (!TTEST2(data2[i], 4))
-        break;
       if (&data2[i+3] >= maxbuf)
         break;
       if (memcmp(&data2[i],"\377SMB",4)==0) {
@@ -1040,10 +1048,11 @@ void ipx_netbios_print(const uchar *data, u_int length)
   const uchar *maxbuf;
 
   maxbuf = data + length;
+  /* Don't go past the end of the captured data in the packet. */
+  if (maxbuf > snapend)
+    maxbuf = snapend;
   startbuf = data;
   for (i=0;i<128;i++) {
-    if (!TTEST2(data[i], 4))
-      break;
     if (&data[i+3] >= maxbuf)
       break;
     if (memcmp(&data[i],"\377SMB",4)==0) {