diff options
| author | Guy Harris <guy@alum.mit.edu> | 2018-08-05 20:24:48 -0700 |
|---|---|---|
| committer | Guy Harris <guy@alum.mit.edu> | 2019-10-02 13:36:23 -0700 |
| commit | 080c59b49fccd2a1d5cd1a2525afde1d27454188 (patch) | |
| tree | 6975fa4c3b48d9b3ceaa1f44f2dcdfd20d5ee9c7 /rpcapd | |
| parent | 9df01dba7d4a698dbfec57e678e5a73dae93fa6d (diff) | |
| download | libpcap-080c59b49fccd2a1d5cd1a2525afde1d27454188.tar.gz | |
Calculate the reply payload length in a local variable.
Using the same variable for the remaining request length and the reply
length is confusing at best and can cause errors at worst (if the
request had extra stuff at the end, so that the variable is non-zero).
This addresses Include Security issue I8: [libpcap] Remote Packet
Capture Daemon Parameter Reuse.
Diffstat (limited to 'rpcapd')
| -rw-r--r-- | rpcapd/daemon.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c index 831ecbfc..c338ade4 100644 --- a/rpcapd/daemon.c +++ b/rpcapd/daemon.c @@ -1571,6 +1571,7 @@ daemon_msg_findallif_req(uint8 ver, struct daemon_slpars *pars, uint32 plen) pcap_if_t *d; // temp pointer needed to scan the interface chain struct pcap_addr *address; // pcap structure that keeps a network address of an interface struct rpcap_findalldevs_if *findalldevs_if;// rpcap structure that packet all the data of an interface together + uint32 replylen; // length of reply payload uint16 nif = 0; // counts the number of interface listed // Discard the rest of the message; there shouldn't be any payload. @@ -1598,17 +1599,19 @@ daemon_msg_findallif_req(uint8 ver, struct daemon_slpars *pars, uint32 plen) return 0; } - // checks the number of interfaces and it computes the total length of the payload + // This checks the number of interfaces and computes the total + // length of the payload. + replylen = 0; for (d = alldevs; d != NULL; d = d->next) { nif++; if (d->description) - plen+= strlen(d->description); + replylen += strlen(d->description); if (d->name) - plen+= strlen(d->name); + replylen += strlen(d->name); - plen+= sizeof(struct rpcap_findalldevs_if); + replylen += sizeof(struct rpcap_findalldevs_if); for (address = d->addresses; address != NULL; address = address->next) { @@ -1621,7 +1624,7 @@ daemon_msg_findallif_req(uint8 ver, struct daemon_slpars *pars, uint32 plen) #ifdef AF_INET6 case AF_INET6: #endif - plen+= (sizeof(struct rpcap_sockaddr) * 4); + replylen += (sizeof(struct rpcap_sockaddr) * 4); break; default: @@ -1637,7 +1640,7 @@ daemon_msg_findallif_req(uint8 ver, struct daemon_slpars *pars, uint32 plen) goto error; rpcap_createhdr((struct rpcap_header *) sendbuf, ver, - RPCAP_MSG_FINDALLIF_REPLY, nif, plen); + RPCAP_MSG_FINDALLIF_REPLY, nif, replylen); // send the interface list for (d = alldevs; d != NULL; d = d->next) |