diff options
| author | Gerald Combs <gerald@wireshark.org> | 2005-05-24 16:46:18 +0000 |
|---|---|---|
| committer | Gerald Combs <gerald@wireshark.org> | 2005-05-24 16:46:18 +0000 |
| commit | 1c650087aca13506de89b33c46bfbc51c1364a87 (patch) | |
| tree | f7f5a425c8889da03b05fcd5f2bc7522d9fa2eb0 /epan/dissectors/packet-bootp.c | |
| parent | 1a5605dc21f60ae40fae1a2a470c17b569d24c44 (diff) | |
| download | wireshark-1c650087aca13506de89b33c46bfbc51c1364a87.tar.gz wireshark-1c650087aca13506de89b33c46bfbc51c1364a87.tar.bz2 wireshark-1c650087aca13506de89b33c46bfbc51c1364a87.zip | |
Add extra TLV length checks and signedness fixes. Fixes the infinite loop in
bug 196.
svn path=/trunk/; revision=14425
Diffstat (limited to 'epan/dissectors/packet-bootp.c')
| -rw-r--r-- | epan/dissectors/packet-bootp.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/epan/dissectors/packet-bootp.c b/epan/dissectors/packet-bootp.c index 3391928c41..f15357508f 100644 --- a/epan/dissectors/packet-bootp.c +++ b/epan/dissectors/packet-bootp.c @@ -2032,8 +2032,8 @@ dissect_packetcable_mta_cap(proto_tree *v_tree, tvbuff_t *tvb, int voff, int len { guint16 raw_val; unsigned long flow_val = 0; - guint off = PKT_MDC_TLV_OFF + voff; - guint tlv_len, i; + int off = PKT_MDC_TLV_OFF + voff; + int tlv_len, i; guint8 asc_val[3] = " ", flow_val_str[5]; static GString *tlv_str = NULL; char bit_fld[64]; @@ -2044,7 +2044,7 @@ dissect_packetcable_mta_cap(proto_tree *v_tree, tvbuff_t *tvb, int voff, int len tlv_str = g_string_new(""); tvb_memcpy (tvb, asc_val, off, 2); - if (sscanf(asc_val, "%x", &tlv_len) != 1) { + if (sscanf(asc_val, "%x", &tlv_len) != 1 || tlv_len < 1) { proto_tree_add_text(v_tree, tvb, off, len - off, "Bogus length: %s", asc_val); return; @@ -2053,7 +2053,7 @@ dissect_packetcable_mta_cap(proto_tree *v_tree, tvbuff_t *tvb, int voff, int len tlv_len, "MTA DC Length: %d", tlv_len); off += 2; - while ((int) off - voff < len) { + while (off - voff < len) { /* Type */ raw_val = tvb_get_ntohs (tvb, off); g_string_sprintf(tlv_str, "0x%.2s: %s = ", @@ -2062,7 +2062,7 @@ dissect_packetcable_mta_cap(proto_tree *v_tree, tvbuff_t *tvb, int voff, int len /* Length */ tvb_memcpy(tvb, asc_val, off + 2, 2); - if (sscanf(asc_val, "%x", &tlv_len) != 1) { + if (sscanf(asc_val, "%x", &tlv_len) != 1 || tlv_len < 1) { proto_tree_add_text(v_tree, tvb, off, len - off, "[Bogus length: %s]", asc_val); return; @@ -2167,8 +2167,8 @@ static void dissect_docsis_cm_cap(proto_tree *v_tree, tvbuff_t *tvb, int voff, int len) { unsigned long raw_val; - guint off = PKT_CM_TLV_OFF + voff; - guint tlv_len, i; + int off = PKT_CM_TLV_OFF + voff; + int tlv_len, i; guint8 asc_val[3] = " "; static GString *tlv_str = NULL; @@ -2176,7 +2176,7 @@ dissect_docsis_cm_cap(proto_tree *v_tree, tvbuff_t *tvb, int voff, int len) tlv_str = g_string_new(""); tvb_memcpy (tvb, asc_val, off, 2); - if (sscanf(asc_val, "%x", &tlv_len) != 1) { + if (sscanf(asc_val, "%x", &tlv_len) != 1 || tlv_len < 1) { proto_tree_add_text(v_tree, tvb, off, len - off, "Bogus length: %s", asc_val); return; @@ -2185,7 +2185,7 @@ dissect_docsis_cm_cap(proto_tree *v_tree, tvbuff_t *tvb, int voff, int len) tlv_len, "CM DC Length: %d", tlv_len); off += 2; - while ((int) off - voff < len) { + while (off - voff < len) { /* Type */ raw_val = tvb_get_ntohs (tvb, off); g_string_sprintf(tlv_str, "0x%.2s: %s = ", @@ -2194,7 +2194,7 @@ dissect_docsis_cm_cap(proto_tree *v_tree, tvbuff_t *tvb, int voff, int len) /* Length */ tvb_memcpy(tvb, asc_val, off + 2, 2); - if (sscanf(asc_val, "%x", &tlv_len) != 1) { + if (sscanf(asc_val, "%x", &tlv_len) != 1 || tlv_len < 1) { proto_tree_add_text(v_tree, tvb, off, len - off, "[Bogus length: %s]", asc_val); return; |