diff options
| author | morriss <morriss@f5534014-38df-0310-8fa8-9805f1628bb7> | 2010-07-07 22:00:44 +0000 |
|---|---|---|
| committer | morriss <morriss@f5534014-38df-0310-8fa8-9805f1628bb7> | 2010-07-07 22:00:44 +0000 |
| commit | 3599398c12d768a5f48e2bac7f481adf5781302b (patch) | |
| tree | 4c31d8557f27e33e6ddc8a74c19caa40f088923b /epan/dissectors/packet-ber.c | |
| parent | 072a8c3bb02bfa08e13cdf41a9811322aefc7a20 (diff) | |
For: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4984#c4 : In try_get_ber_length() don't let a negative length make us go backwards. This should eliminate a possible infinite loop and appears to /help/ limit the depth of recursion.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@33471 f5534014-38df-0310-8fa8-9805f1628bb7
Diffstat (limited to 'epan/dissectors/packet-ber.c')
| -rw-r--r-- | epan/dissectors/packet-ber.c | 35 |
1 files changed, 20 insertions, 15 deletions
diff --git a/epan/dissectors/packet-ber.c b/epan/dissectors/packet-ber.c index 11c236ab6a..1dabbb9507 100644 --- a/epan/dissectors/packet-ber.c +++ b/epan/dissectors/packet-ber.c @@ -978,26 +978,31 @@ try_get_ber_length(tvbuff_t *tvb, int *bl_offset, gboolean pc, guint32 *length, tmp_length = (tmp_length<<8) + oct; } } else { - /* 8.1.3.6 */ - /* indefinite length encoded - must be constructed */ + /* 8.1.3.6 */ + /* indefinite length encoded - must be constructed */ - if(!pc) - return FALSE; + if(!pc) + return FALSE; - tmp_offset = offset; + tmp_offset = offset; - do { - tmp_offset = get_ber_identifier(tvb, tmp_offset, &tclass, &tpc, &ttag); - /* Make sure we move forward */ - if(tmp_offset > offset && try_get_ber_length(tvb, &tmp_offset, tpc, &tmp_len, &tmp_ind)) - tmp_offset += tmp_len; - else - return FALSE; + do { + tmp_offset = get_ber_identifier(tvb, tmp_offset, &tclass, &tpc, &ttag); + + /* Make sure we move forward */ + if(tmp_offset > offset && try_get_ber_length(tvb, &tmp_offset, tpc, &tmp_len, &tmp_ind)) { + if (tmp_len > 0) { + tmp_offset += tmp_len; + continue; + } + } + + return FALSE; - } while (!((tclass == BER_CLASS_UNI) && (ttag == 0) && (tmp_len == 0))); + } while (!((tclass == BER_CLASS_UNI) && (ttag == 0) && (tmp_len == 0))); - tmp_length = tmp_offset - offset; - tmp_ind = TRUE; + tmp_length = tmp_offset - offset; + tmp_ind = TRUE; } } |