epan/dissectors/packet-ntlmssp.c | 26 15 + 11 - 0 !
1 file changed, 15 insertions(+), 11 deletions(-)

 [patch] copy over r53626 with manual intervention.

  

epan/dissectors/packet-bssgp.c | 64 31 + 33 - 0 !
epan/dissectors/packet-gsm_a_bssmap.c | 43 18 + 25 - 0 !
epan/dissectors/packet-gsm_bssmap_le.c | 10 4 + 6 - 0 !
epan/dissectors/packet-gsm_sms.c | 57 27 + 30 - 0 !
epan/dissectors/packet-nas_eps.c | 39 17 + 22 - 0 !
epan/dissectors/packet-sgsap.c | 14 6 + 8 - 0 !
6 files changed, 103 insertions(+), 124 deletions(-)

 [patch] remove static packet_info *gpinfo and just use the
 packet_info provided by the function.

svn path=/trunk/; revision=49145

Conflicts:
	epan/dissectors/packet-bssgp.c
	epan/dissectors/packet-gsm_a_bssmap.c
	epan/dissectors/packet-gsm_sms.c
	epan/dissectors/packet-nas_eps.c
	epan/dissectors/packet-sgsap.c

epan/dissectors/packet-nfs.c | 15 11 + 4 - 0 !
1 file changed, 11 insertions(+), 4 deletions(-)

 [patch 1/3] harden nfs_name_snoop_add_name against various malformed
 inputs. Thanks to Moshe Kaplan for the report.

Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9672 and some
other cases in the same vein.

svn path=/trunk/; revision=54875

Conflicts:
	epan/dissectors/packet-nfs.c

epan/dissectors/packet-rlc.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 [patch 2/3] don't mix emem and glib memory and init routines.

The seasonal memory is freed before the init routine is called, leading to a
whole bunch of use-after-free errors.

Fixes bug #9802 (and duplicates).

This introduces a few minor leaks but I can't find an easy way to add additional
free calls that doesn't lead to double-free errors.

wiretap/mpeg.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

 [patch 3/3] add a check for an oversized record.

For now we declare the file corrupt and give up. We may want to handle
this more gracefully. Fixes a vulnerability discovered by Wesley Neelen
(bug 9843).

Remove the RCS ID and add modelines.

plugins/irda/packet-irda.c | 4 2 + 2 - 0 !
wiretap/catapult_dct2000.c | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 [patch 1/4] catapult,irda: fix asan crashes due to buffer underrun

The catapult dissector tripped on this random file I had. A quick look
at other dissectors which use a construct like "-1] *= '*\\[rn]" showed
packet-irda too, so fix that as well.

Conflicts:
	wiretap/catapult_dct2000.c

epan/dissectors/packet-ber.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 2/4] fix underflow in ber constrained bitstrings

this can happen and cause invalid memory accesses with incorrectly-large padding
values

Conflicts:
	epan/dissectors/packet-ber.c

Bug:10187

epan/dissectors/packet-rlc.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 3/4] set the rlc len field before we try to use it in an
 expert info.

Conflicts:
	epan/dissectors/packet-rlc.c

Bug:9795

epan/dissectors/packet-gsm_a_gm.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 4/4] initialize whole buffer in gprs mobility and session
 Management dissector

Bug: 10216

epan/dissectors/packet-rtp.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 [patch 1/6] don't free the hash if another one exists

Other dissectors may still have references. This is a quick hacky fix that adds
a (very small) memory leak since the real fix in master is way too big to
backport.

Conflicts:
	epan/dissectors/packet-rtp.c

Bug:9920

epan/dissectors/packet-megaco.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 2/6] fix an infinite loop when the line has no length

Bug:10333

epan/dissectors/packet-rtsp.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 [patch 3/6] rtsp: parse the correct token for the status code

Don't call get_token_len on next_token *and* pass in next_token to store the
subsequent pointer - the token we want to parse is the *current* value of
next_token, not the next next token (which may be beyond the end of the buffer,
if next_token happens to be the *last* token).

Conflicts:
	epan/dissectors/packet-rtsp.c

Bug: 10381

epan/dissectors/packet-netflow.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 4/6] fix the uninitialized-read error reported in bug 10370.

Fix apparent cut-n-pasteo: if offset_e is set then we should be looking
at offset_e (instead of offset_s) and ts_end (instead of ts_start).

Bug: 10370

epan/dissectors/packet-ses.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 5/6] ses: initialize pres_ctx_id in session struct

Bug: 10454

wiretap/ngsniffer.c | 39 29 + 10 - 0 !
1 file changed, 29 insertions(+), 10 deletions(-)

 [patch 6/6] add some additional checks in snifferdecompress().

Check the input pointer in the while clause of the loop, so that we
handle an empty input buffer.

When reading a bit mask, check before fetching the bit mask that we have
two bytes of bit mask and the byte after it.

Before putting an uncompressed input byte into the output, make sure we
wouldn't run past the end of the output buffer.

Before copying an earlier string from the output buffer, make sure it
doesn't run past the end of the data we've decompressed so far.

Bug: 10461

epan/dissectors/packet-tn5250.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch 1/5] tn5250: fix an endless loop, exit when offset is not
 incremented

Bug: 10596

epan/dissectors/packet-ncp2222.inc | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 2/5] ncp2222: initialize buffer in build_expert_data

We do a bunch of conditional logic to fill in the buffer, and then were checking
strlen(buffer) to see if we'd actually filled it in or not, but if we hadn't
then the buffer was garbage and strlen(buffer) was throwing valgrind warnings.
Ensure this works as intended by setting the first byte of the buffer
unconditionally at the beginning, so strlen(buffer) returns 0 as expected in
that case.

Bug: 10628

epan/dissectors/packet-ncp2222.inc | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 [patch 3/5] ncp2222: don't overflow buffer constructing string

Fixes stack-smashing vuln.

Somehow there was already an XXX in the code about this, but nobody realized at
the time it was worth fixing... really?

Bug: 10552

epan/sigcomp-udvm.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 4/5] sigcomp-udvm: fix invalid access

Way back in 2006, svn r20041 (now gd408f2f6fc) worked around a problem by
limiting the amount of buffer dealt with in the udvm_state_access call (changing
it from state_minimum_access_length_buff[n] to STATE_MIN_ACCESS_LEN).

The very next line however, tries to read the same amount of buffer to display
to the user - since it seems nobody ever applied a proper fix for the original
case, just apply the same workaround to the second call.

Conflicts:
	epan/sigcomp-udvm.c

Bug: 10662

epan/dissectors/packet-amqp.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 [patch 5/5] packet-amqp.c: temporary/preliminary fix for bug #10582
 (crash)

This is a temporary/preliminary fix to prevent the buildbot fuzz-test
 failures seen when testing the capture file attached to Bug #10582.

As noted in the bug, a complete fix will require some reworking of
  the amqp dissector.

epan/dissectors/packet-ssl-utils.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [patch 1/2] make sure we don't underrun a buffer when decrypting ssl.

Discovered by Noam Rathaus.

epan/dissectors/packet-dec-dnart.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch 2/2] dec-dnart: use pinfo-scoped memory for addresses

They may be accessed during the print phase, at which point packet-scope memory
has already been freed.

In the back-ported fix we use capture-lifetime memory.

Bug: 10724

epan/dissectors/packet-tnef.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch 1/3] tnef: fix overflow leading to infinite loop

Thanks to Vlad Tsyrklevich for the report, and Fabian Yamaguchi for the "joern"
tool which found the bug.

Bug: 11023

wiretap/pcapng.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 2/3] pcapng: don't fetch past the end of a garray.

Due to an off-by-one error an invalid ISB interface ID could make us
fetch past the end of a GArray. Found using American Fuzzy Lop.

Bug: 10895

epan/dissectors/packet-wcp.c | 185 120 + 65 - 0 !
1 file changed, 120 insertions(+), 65 deletions(-)

 [patch 3/3] do bounds checking when decompressing wcp packets.

Extract the data offset and count only once, and make sure we don't run
past the end of the data we've copied from the packet; have
decompressed_entry() just do the decompression, rather than also
fetching the data offset and count.

Add some comments while we're at it.

I have basically copied the new code except for the whitespaces
instead of just back-porting the changes because the changes were
an almost full rewrite already.

Bug: 10844

epan/dissectors/packet-wcp.c | 29 27 + 2 - 0 !
1 file changed, 27 insertions(+), 2 deletions(-)

 [patch] wcp: add validations to decompressed_entry

Ensure that a reference to past bytes refers to bytes that actually exist.

Bug: 10978
Conflicts:
	epan/dissectors/packet-wcp.c

wiretap/pcapng.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 1/5] pcapng: fixed copying if_filter_bpf_bytes

Bug: 11455

epan/proto.c | 26 26 + 0 - 0 !
1 file changed, 26 insertions(+)

 [patch 1/4] add test_length to ptvcursor_add so it can do some bounds
 checking.

epan/proto.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 2/4] fix ptvcursor_add() so it can dissect the last bytes in a
 TVB again.

ptvc->offset has already been incremented by the item length so don't use it as
the offset to test_length(); we need to use the original offset.

Problem introduced by Idfd258c734e7a946300b2564bebf6e4cb374c8d1 .

epan/packet.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 3/4] protect dissector_get_(default_)string_handle() against
 NULL input string

Conflicts:
	epan/packet.c

Bug: 11381

epan/dissectors/packet-waveagent.c | 13 7 + 6 - 0 !
1 file changed, 7 insertions(+), 6 deletions(-)

 [patch 4/4] waveagent - use tvb_get_guint8 instead of tvb_get_ptr to
 walk a packet and protect against a really big tag value

Conflicts:
	epan/dissectors/packet-waveagent.c

Ping-Bug: 11358

epan/dissectors/packet-dcom.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 1/6] dcom: ensure to initialize ipv4 variable put on the stack

Bug: 11610

wiretap/ascendtext.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 2/6] fix out-of-bounds read in ascend_seek.

Bug: 11794

epan/dissectors/packet-rsvp.c | 27 26 + 1 - 0 !
1 file changed, 26 insertions(+), 1 deletion(-)

 [patch 3/6] rsvp: copy all rsvp_request_key info in file scope

This is needed as it is later used for comparisons in the request hash table

Conflicts:
	epan/dissectors/packet-rsvp.c

Bug: 11793

epan/dissectors/packet-nlm.c | 17 9 + 8 - 0 !
1 file changed, 9 insertions(+), 8 deletions(-)

 [patch 4/6] nlm: fix double memory free when using "match msg/res
 packets for async NLM" option

Conflicts:
	epan/dissectors/packet-nlm.c

epan/dissectors/packet-ber.c | 109 81 + 28 - 0 !
1 file changed, 81 insertions(+), 28 deletions(-)

 [patch 5/6] check *how many* fields sscanf() found.

In the code that parses a GeneralizedTime field, don't assume that all
fields were found; check the return value from sscanf().

This should clean up a fuzz failure on the 2.0 buildbot:

https://buildbot.wireshark.org/wireshark-2.0/builders/Fuzz%20Test/builds/13/steps/valgrind-wireshark/logs/stdio

Conflicts:
	epan/dissectors/packet-ber.c

epan/tvbuff.c | 8 5 + 3 - 0 !
1 file changed, 5 insertions(+), 3 deletions(-)

 [patch 6/6] fix buffer overrun in zlib decompression

After updating next_in (to remove the gzip header), avail_in must also
be updated. Failing to do makes zlib read past the input buffer. In
theory this would resukt in a buffer overrun of at most double the input
length, in practice zlib returns as soon as the compression fails (after
reading a few bytes).

Conflicts:
	epan/tvbuff_zlib.c

Bug: 11548

epan/dissectors/packet-rsl.c | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 [patch 102/110] [rsl] just return rest of packet if tlv type is
 unknown

Bug: 11829

epan/dissectors/packet-dnp.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch 103/110] prevent infinite loop in dnp3 dissector.

Bug: 11941

epan/dissectors/packet-rsl.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 104/110] rsl: avoid buffer overread

Fixes a buffer overrun in dissct_rsl_ipaccess_msg when the tag is
exactly 0xff:

        tag = tvb_get_guint8(tvb, offset);
        tdef = &rsl_att_tlvdef.def[tag];

Bug: 11829

epan/dissectors/packet-gsm_abis_oml.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 105/110] gsm_abis_oml: fix buffer overrun

Do not read outside boundaries when tag is exactly 0xff.

    tag = tvb_get_guint8(tvb, offset);
    tdef = find_tlv_tag(tag);
        ...
        return &nm_att_tlvdef_base.def[tag];

Bug: 11825

epan/dissectors/packet-ber.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [patch 106/110] ber: fix buffer overrun when handling empty sets

When a set is empty, only a terminator (ber_sequence_t with NULL func)
is present. In that case, do not try to find more values as that will
never succeed.

Bug: 12106

epan/crypt/airpdcap.c | 6 6 + 0 - 0 !
epan/crypt/airpdcap_system.h | 6 4 + 2 - 0 !
2 files changed, 10 insertions(+), 2 deletions(-)

 [patch 107/110] add boundary check for 802.11 decryption

Fixed stack-based buffer overflow when the frame length exceeds 8KB.

Bug: 11790

epan/dissectors/packet-ber.c | 20 17 + 3 - 0 !
1 file changed, 17 insertions(+), 3 deletions(-)

 [patch 108/110] ber: avoid deep recursion for constructed strings

Bound the recursion depth to avoid a stack overflow while parsing a
deeply nested constructed string.

Call chain before this patch:

 - dissect_ber_octet_string
   - dissect_ber_constrained_octet_string
     - reassemble_octet_string (called for constructed types)
       - dissect_ber_octet_string *recursion*

After this patch, the reassemble_octet_string will throw if the maximum
recursion depth is reached.

Conflicts:
	epan/dissectors/packet-ber.c

Bug: 11822

epan/dissectors/packet-diameter.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch 109/110] diameter: check ipv6 prefix length before copying it
 in e_in6_addr structure

Conflicts:
	epan/dissectors/packet-diameter.c

Bug: 11792

epan/dissectors/packet-ansi_a.c | 10 8 + 2 - 0 !
epan/dissectors/packet-gsm_a_common.c | 8 7 + 1 - 0 !
2 files changed, 15 insertions(+), 3 deletions(-)

 [patch 110/110] limit my_dgt_tbcd_unpack() in writing to global
 buffer

Ping-Bug: 11797