diff options
| author | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2012-12-06 01:43:37 +0000 |
|---|---|---|
| committer | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2012-12-06 01:43:37 +0000 |
| commit | 97bbd2fc0a713d8fa9c576fff706073d98b41ce3 (patch) | |
| tree | 169943497ad8ae4f3d125a1a16c6b6295501da41 /epan/dissectors/packet-assa_r3.c | |
| parent | ecad8311ca5930f3c802c81b31c431a9bb253504 (diff) | |
Fix inifite loop in the R3 dissector reported in
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8040 :
If the alarm length is 0, raise an expert_info and break out of the loop.
svn path=/trunk/; revision=46415
Diffstat (limited to 'epan/dissectors/packet-assa_r3.c')
| -rw-r--r-- | epan/dissectors/packet-assa_r3.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/epan/dissectors/packet-assa_r3.c b/epan/dissectors/packet-assa_r3.c index 7a6d747383..124d5ddb80 100644 --- a/epan/dissectors/packet-assa_r3.c +++ b/epan/dissectors/packet-assa_r3.c @@ -1,6 +1,6 @@ /* packet-assa_r3.c * Routines for R3 packet dissection - * Copyright (c) 2009 Assa Abloy USA <jcwren@assaabloyusa.com> + * Copyright (c) 2009 Assa Abloy USA <jcwren[AT]assaabloyusa.com> * * R3 is an electronic lock management protocol for configuring operational * parameters, adding/removing/altering users, dumping log files, etc. @@ -8868,7 +8868,7 @@ static void dissect_r3_cmd_filters (tvbuff_t *tvb, guint32 start_offset, guint32 proto_tree_add_item (filter_tree, hf_r3_filter_list, payload_tvb, i + 2, 1, ENC_LITTLE_ENDIAN); } -static void dissect_r3_cmd_alarmconfigure (tvbuff_t *tvb, guint32 start_offset, guint32 length _U_, packet_info *pinfo _U_, proto_tree *tree) +static void dissect_r3_cmd_alarmconfigure (tvbuff_t *tvb, guint32 start_offset, guint32 length _U_, packet_info *pinfo, proto_tree *tree) { proto_item *alarm_item; proto_tree *alarm_tree; @@ -8891,10 +8891,11 @@ static void dissect_r3_cmd_alarmconfigure (tvbuff_t *tvb, guint32 start_offset, while (offset < (cmdLen - 2)) { - proto_item *alarmcfg_item; + proto_item *alarmcfg_item, *pi; proto_tree *alarmcfg_tree; const gchar *ai; const gchar *as; + guint32 alarm_len; if (!(ai = match_strval_ext (tvb_get_guint8 (payload_tvb, offset + 1), &r3_alarmidnames_ext))) { @@ -8909,12 +8910,19 @@ static void dissect_r3_cmd_alarmconfigure (tvbuff_t *tvb, guint32 start_offset, "Alarm Item (%s, %s)", ai, as); alarmcfg_tree = proto_item_add_subtree (alarmcfg_item, ett_r3alarmcfg); - proto_tree_add_item (alarmcfg_tree, hf_r3_alarm_length, payload_tvb, offset + 0, 1, ENC_LITTLE_ENDIAN); + alarm_len = tvb_get_guint8 (payload_tvb, offset + 0); + pi = proto_tree_add_item (alarmcfg_tree, hf_r3_alarm_length, payload_tvb, offset + 0, 1, ENC_LITTLE_ENDIAN); + if (alarm_len == 0) { + expert_add_info_format (pinfo, pi, PI_MALFORMED, PI_WARN, + "Alarm length equal to 0; payload could be partially decoded"); + break; + } + proto_tree_add_item (alarmcfg_tree, hf_r3_alarm_id, payload_tvb, offset + 1, 1, ENC_LITTLE_ENDIAN); proto_tree_add_item (alarmcfg_tree, hf_r3_alarm_state, payload_tvb, offset + 2, 1, ENC_LITTLE_ENDIAN); alarms++; - offset += tvb_get_guint8 (payload_tvb, offset); + offset += alarm_len; } if (alarms) |