diff options
| author | Anders Broman <anders.broman@ericsson.com> | 2012-04-18 05:29:02 +0000 |
|---|---|---|
| committer | Anders Broman <anders.broman@ericsson.com> | 2012-04-18 05:29:02 +0000 |
| commit | e6b7af69b566ca4cbb52922f79ce2a8d32dea02e (patch) | |
| tree | 7c0a0b83a2df0e454cd6230d5e2bf63436f20d0b /epan/dissectors/packet-assa_r3.c | |
| parent | 67c79aea50d5f409b87ff52c5bbdb59829bd8f64 (diff) | |
| download | wireshark-e6b7af69b566ca4cbb52922f79ce2a8d32dea02e.tar.gz wireshark-e6b7af69b566ca4cbb52922f79ce2a8d32dea02e.tar.bz2 wireshark-e6b7af69b566ca4cbb52922f79ce2a8d32dea02e.zip | |
From Evan Huus: There were two cases where we could underflow an unsigned subtraction, leading to huge values and near-infinite loops. Catch them and add an expert_info warning that the packet is bad. Also fix some other expert_info messages to hang off of the right dissection tree. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7125
svn path=/trunk/; revision=42122
Diffstat (limited to 'epan/dissectors/packet-assa_r3.c')
| -rw-r--r-- | epan/dissectors/packet-assa_r3.c | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/epan/dissectors/packet-assa_r3.c b/epan/dissectors/packet-assa_r3.c index 4abed8ed3e..55f5d381c3 100644 --- a/epan/dissectors/packet-assa_r3.c +++ b/epan/dissectors/packet-assa_r3.c @@ -3315,6 +3315,7 @@ static void dissect_r3_upstreamfields (tvbuff_t *tvb, guint32 start_offset _U_, guint32 fieldType = tvb_get_guint8 (tvb, offset + 1); guint32 dataLength = fieldLength - 2; proto_item *upstreamfield_item = NULL; + proto_item *upstreamfield_length = NULL; proto_tree *upstreamfield_tree = NULL; const gchar *usfn = NULL; @@ -3323,9 +3324,15 @@ static void dissect_r3_upstreamfields (tvbuff_t *tvb, guint32 start_offset _U_, upstreamfield_item = proto_tree_add_none_format (tree, hf_r3_upstreamfield, tvb, offset + 0, fieldLength, "Upstream Field: %s (%u)", usfn, fieldType); upstreamfield_tree = proto_item_add_subtree (upstreamfield_item, ett_r3upstreamfield); - proto_tree_add_item (upstreamfield_tree, hf_r3_upstreamfieldlength, tvb, offset + 0, 1, ENC_LITTLE_ENDIAN); + upstreamfield_length = proto_tree_add_item (upstreamfield_tree, hf_r3_upstreamfieldlength, tvb, offset + 0, 1, ENC_LITTLE_ENDIAN); proto_tree_add_item (upstreamfield_tree, hf_r3_upstreamfieldtype, tvb, offset + 1, 1, ENC_LITTLE_ENDIAN); + if (fieldLength < 2) + { + dataLength = 0; + expert_add_info_format (pinfo, upstreamfield_length, PI_UNDECODED, PI_WARN, "Malformed length value -- all fields are at least 2 octets."); + } + offset += 2; switch (fieldType) @@ -4654,15 +4661,22 @@ static void dissect_r3_cmd_manageuser (tvbuff_t *tvb, guint32 start_offset, guin guint32 paramType = tvb_get_guint8 (payload_tvb, offset + 1); guint32 dataLength = paramLength - 2; proto_tree *mu_tree = NULL; + proto_item *len_field = NULL; const gchar *auptn = NULL; auptn = val_to_str_ext_const (paramType, &r3_adduserparamtypenames_ext, "[Unknown Field]"); mu_tree = proto_item_add_subtree (proto_tree_add_none_format (tree, hf_r3_adduserparamtype, payload_tvb, offset + 0, paramLength, "Manage User Field: %s (%u)", auptn, paramType), ett_r3manageuser); - proto_tree_add_item (mu_tree, hf_r3_adduserparamtypelength, payload_tvb, offset + 0, 1, ENC_LITTLE_ENDIAN); + len_field = proto_tree_add_item (mu_tree, hf_r3_adduserparamtypelength, payload_tvb, offset + 0, 1, ENC_LITTLE_ENDIAN); proto_tree_add_item (mu_tree, hf_r3_adduserparamtypetype, payload_tvb, offset + 1, 1, ENC_LITTLE_ENDIAN); + if (paramLength < 2) + { + dataLength = 0; + expert_add_info_format (pinfo, len_field, PI_UNDECODED, PI_WARN, "Malformed length value -- all fields are at least 2 octets."); + } + offset += 2; switch (paramType) @@ -4677,14 +4691,14 @@ static void dissect_r3_cmd_manageuser (tvbuff_t *tvb, guint32 start_offset, guin case ADDUSERPARAMTYPE_USECOUNT : case ADDUSERPARAMTYPE_EXCEPTIONGROUP : if (dataLength != 1) - expert_add_info_format (pinfo, tree, PI_UNDECODED, PI_WARN, "Malformed field -- expected 1 octet"); + expert_add_info_format (pinfo, mu_tree, PI_UNDECODED, PI_WARN, "Malformed field -- expected 1 octet"); else proto_tree_add_item (mu_tree, hf_r3_adduserparamtypearray [paramType], payload_tvb, offset, dataLength, TRUE); break; case ADDUSERPARAMTYPE_USERNO : if (dataLength != 2) - expert_add_info_format (pinfo, tree, PI_UNDECODED, PI_WARN, "Malformed field -- expected 2 octets"); + expert_add_info_format (pinfo, mu_tree, PI_UNDECODED, PI_WARN, "Malformed field -- expected 2 octets"); else proto_tree_add_item (mu_tree, hf_r3_adduserparamtypearray [paramType], payload_tvb, offset, dataLength, TRUE); break; @@ -4700,7 +4714,7 @@ static void dissect_r3_cmd_manageuser (tvbuff_t *tvb, guint32 start_offset, guin proto_tree *expireon_tree = NULL; if (dataLength != 3) - expert_add_info_format (pinfo, tree, PI_UNDECODED, PI_WARN, "Malformed expiration field -- expected 3 octets"); + expert_add_info_format (pinfo, mu_tree, PI_UNDECODED, PI_WARN, "Malformed expiration field -- expected 3 octets"); else { expireon_item = proto_tree_add_text (mu_tree, payload_tvb, offset, 3, "Expire YY/MM/DD: %02u/%02u/%02u", @@ -4722,7 +4736,7 @@ static void dissect_r3_cmd_manageuser (tvbuff_t *tvb, guint32 start_offset, guin proto_tree *timezone_tree = NULL; if (dataLength != 4) - expert_add_info_format (pinfo, tree, PI_UNDECODED, PI_WARN, "Malformed timezone field -- expected 4 octets"); + expert_add_info_format (pinfo, mu_tree, PI_UNDECODED, PI_WARN, "Malformed timezone field -- expected 4 octets"); else { tz = tvb_get_letohl (payload_tvb, offset); |