From 37dcfdf79e1ac6dcacd565894cd7717aa0224164 Mon Sep 17 00:00:00 2001
From: NickSampanis <nicksampanis@gmail.com>
Date: Fri, 17 Oct 2014 19:24:49 +0300
Subject: [PATCH] Fix gg dissector arbitary length heap overflow
---
src/dissectors/ec_gg.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/dissectors/ec_gg.c b/src/dissectors/ec_gg.c
index 6f8260d..9665894 100644
--- a/src/dissectors/ec_gg.c
+++ b/src/dissectors/ec_gg.c
@@ -358,6 +358,8 @@ FUNC_DECODER(dissector_gg)
if ((gg->type == GG_LOGIN50_CMD) && !FROM_SERVER("gg", PACKET)) {
gg_get_status(gg_login50->status,tbuf);
gg_get_version(gg_login50->version,tbuf3);
+ if ((int)gg->len-22 < 0)
+ return NULL;
strncpy(tbuf2,gg_login50->description, (gg->len)-22);
tbuf2[(gg->len)-22]='\0';
sprintf(user,"%u",gg_login50->uin);
@@ -378,6 +380,8 @@ if ((gg->type == GG_LOGIN50_CMD) && !FROM_SERVER("gg", PACKET)) {
else if (gg->type == GG_LOGIN60_CMD) {
gg_get_status(gg_login60->status,tbuf);
gg_get_version(gg_login60->version,tbuf3);
+ if ((int)gg->len-31 < 0)
+ return NULL;
strncpy(tbuf2,gg_login60->description, (gg->len)-31);
tbuf2[(gg->len)-31]='\0';
sprintf(user,"%u",gg_login60->uin);
@@ -400,6 +404,8 @@ else if (gg->type == GG_LOGIN60_CMD) {
else if (gg->type == GG_LOGIN70_CMD) {
gg_get_status(gg_login70->status,tbuf);
gg_get_version(gg_login70->version,tbuf3);
+ if ((int)gg->len-92 < 0)
+ return NULL;
strncpy(tbuf2,gg_login70->description, (gg->len)-92);
tbuf2[(gg->len)-92]='\0';
sprintf(user,"%u",gg_login70->uin);
@@ -447,6 +453,8 @@ else if (gg->type == GG_WELCOME_CMD) {
#ifdef GG_CONTACTS_STATUS_CHANGES
else if ((gg->type == GG_STATUS_CMD) && FROM_SERVER("gg", PACKET)) {
gg_get_status(gg_status->status,tbuf);
+ if ((int)gg->len-8 < 0)
+ return NULL;
strncpy(tbuf2,gg_status->description, (gg->len)-8);
tbuf2[(gg->len)-8]='\0';
DISSECT_MSG("GG : %s:%d -> %s:%d - STATUS CHANGED UIN: %u STATUS: %s (%s)\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
@@ -459,6 +467,8 @@ else if ((gg->type == GG_STATUS_CMD) && FROM_SERVER("gg", PACKET)) {
#endif
else if ((gg->type == GG_NEW_STATUS_CMD) && !FROM_SERVER("gg", PACKET)) {
gg_get_status(gg_new_status->status,tbuf);
+ if ((int)gg->len-4 < 0)
+ return NULL;
strncpy(tbuf2,gg_new_status->description, (gg->len)-4);
tbuf2[(gg->len)-4]='\0';
DISSECT_MSG("GG : %s:%d -> %s:%d - NEW STATUS STATUS: %s (%s)\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
@@ -471,6 +481,8 @@ else if ((gg->type == GG_NEW_STATUS_CMD) && !FROM_SERVER("gg", PACKET)) {
else if ((gg->type == GG_STATUS50_CMD) && FROM_SERVER("gg", PACKET)) {
gg_get_status(gg_status50->status,tbuf);
gg_get_version(gg_status50->version,tbuf3);
+ if ((int)gg->len-20 < 0)
+ return NULL;
strncpy(tbuf2,gg_status50->description, (gg->len)-20);
tbuf2[(gg->len)-20]='\0';
DISSECT_MSG("GG4/5 : %s:%d -> %s:%d - STATUS CHANGED UIN: %u STATUS: %s (%s) VERSION: %s RIP: %u.%u.%u.%u:%u\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
@@ -486,6 +498,8 @@ else if ((gg->type == GG_STATUS50_CMD) && FROM_SERVER("gg", PACKET)) {
else if (gg->type == GG_STATUS60_CMD) {
gg_get_status(gg_status60->status,tbuf);
gg_get_version(gg_status60->version,tbuf3);
+ if ((int)gg->len-14 < 0)
+ return NULL;
strncpy(tbuf2,gg_status60->description, (gg->len)-14);
tbuf2[(gg->len)-14]='\0';
DISSECT_MSG("GG6 : %s:%d -> %s:%d - STATUS CHANGED UIN: %u STATUS: %s (%s) VERSION: %s RIP: %u.%u.%u.%u:%u\n", ip_addr_ntoa(&PACKET->L3.src, tmp),
@@ -500,6 +514,8 @@ else if (gg->type == GG_STATUS60_CMD) {
}
else if (gg->type == GG_STATUS70_CMD) {
gg_get_status(gg_status70->status,tbuf);
+ if ((int)gg->len-18 < 0)
+ return NULL;
gg_get_version(gg_status70->version,tbuf3);
strncpy(tbuf2,gg_status70->description, (gg->len)-18);
tbuf2[(gg->len)-18]='\0';