diff options
author | wmeier <wmeier@f5534014-38df-0310-8fa8-9805f1628bb7> | 2010-11-18 19:25:11 +0000 |
---|---|---|
committer | wmeier <wmeier@f5534014-38df-0310-8fa8-9805f1628bb7> | 2010-11-18 19:25:11 +0000 |
commit | 2262c0b378ddaa8b60cc95c7c6276e31ee3083f0 (patch) | |
tree | c93913c6bfabb516d4d4324195d0e27f60e41465 /epan/dissectors/packet-daap.c | |
parent | 259cde2f81592aa6909d8905e10f8e4f0d214c06 (diff) |
Tighten up TLV processing a bit to prevent a potential loop.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@34954 f5534014-38df-0310-8fa8-9805f1628bb7
Diffstat (limited to 'epan/dissectors/packet-daap.c')
-rw-r--r-- | epan/dissectors/packet-daap.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/epan/dissectors/packet-daap.c b/epan/dissectors/packet-daap.c index fe3b034c9e..1bac4f284a 100644 --- a/epan/dissectors/packet-daap.c +++ b/epan/dissectors/packet-daap.c @@ -380,6 +380,7 @@ static void dissect_daap_one_tag(proto_tree *tree, tvbuff_t *tvb) { gint offset = 0; + gint reported_length; guint32 tagname; guint32 tagsize; gint len; @@ -388,7 +389,9 @@ dissect_daap_one_tag(proto_tree *tree, tvbuff_t *tvb) proto_tree *new_tree; tvbuff_t *new_tvb; - while ((offset >= 0) && (tvb_reported_length_remaining(tvb, offset) > 0)) { + reported_length = tvb_reported_length(tvb); + + while ((offset >= 0) && (offset < reported_length)) { tagname = tvb_get_ntohl(tvb, offset); tagsize = tvb_get_ntohl(tvb, offset+4); ti = proto_tree_add_text(tree, tvb, offset, 8, @@ -404,7 +407,7 @@ dissect_daap_one_tag(proto_tree *tree, tvbuff_t *tvb) offset += 8; - len = tvb_reported_length_remaining(tvb, offset); /* should be >= 0 since no exception above */ + len = reported_length - offset; /* should be >= 0 since no exception above */ DISSECTOR_ASSERT(len >= 0); if (tagsize <= (unsigned)len) { len = tagsize; @@ -614,10 +617,12 @@ dissect_daap_one_tag(proto_tree *tree, tvbuff_t *tvb) default: break; } + if ((signed)tagsize < 0) /* we'll consider a tagsize >= 0x80000000 invalid */ + break; offset += tagsize; } - if ((offset < 0) || (tvb_reported_length_remaining(tvb, offset) != 0)) { - THROW(ReportedBoundsError); + if ((offset < 0) || ((reported_length - offset) != 0)) { + THROW(ReportedBoundsError); } return; } |