Do not iterate over reported length when using tvb_find_line_end

if captured length < reported length, this will trigger an infinite loop Change-Id: I6557b455e7bbff12658a934e5bb13a42c023e133 Reviewed-on: https://code.wireshark.org/review/7053 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
author: Pascal Quantin <pascal.quantin@gmail.com> 2015-02-10 13:49:28 +0100
committer: Pascal Quantin <pascal.quantin@gmail.com> 2015-02-10 14:02:20 +0000
commit: e915db7cc8c779368afef51c12241337b4d7beda (patch)
tree: 0cf7356cb71db4ba4ed95448bc5113a2aabd6682 /epan/dissectors/packet-mgcp.c
parent: 7369c25ad41ef075688420f53f353e8e6c4ddfdb (diff)
1 files changed, 5 insertions, 6 deletions
diff --git a/epan/dissectors/packet-mgcp.c b/epan/dissectors/packet-mgcp.c
index 7a7fc7cd44..aabe2a3915 100644
--- a/epan/dissectors/packet-mgcp.c
+++ b/epan/dissectors/packet-mgcp.c
@@ -557,10 +557,9 @@ static void dissect_mgcp_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *
  */
 static void mgcp_raw_text_add(tvbuff_t *tvb, proto_tree *tree)
 {
-	gint tvb_linebegin, tvb_lineend, tvb_len, linelen;
+	gint tvb_linebegin, tvb_lineend, linelen;
 
 	tvb_linebegin = 0;
-	tvb_len = tvb_reported_length(tvb);
 
 	do
 	{
@@ -568,7 +567,7 @@ static void mgcp_raw_text_add(tvbuff_t *tvb, proto_tree *tree)
 		linelen = tvb_lineend - tvb_linebegin;
 		proto_tree_add_format_text(tree, tvb, tvb_linebegin, linelen);
 		tvb_linebegin = tvb_lineend;
-	} while (tvb_lineend < tvb_len);
+	} while (tvb_offset_exists(tvb, tvb_lineend));
 }
 
 /* Discard and init any state we've saved */
@@ -1150,7 +1149,7 @@ static void dissect_mgcp_firstline(tvbuff_t *tvb, packet_info *pinfo, proto_tree
 				                                   tvb_current_len);
 			}
 			tokennum++;
-		} while (tvb_current_offset < tvb_len && tvb_previous_offset < tvb_len && tokennum <= 3);
+		} while (tvb_current_offset < tvb_len && tvb_offset_exists(tvb, tvb_current_offset) && tvb_previous_offset < tvb_len && tokennum <= 3);
 
 		switch (mgcp_type)
 		{
@@ -1419,7 +1418,7 @@ static void dissect_mgcp_params(tvbuff_t *tvb, proto_tree *tree)
 		mgcp_param_tree = proto_item_add_subtree(mgcp_param_ti, ett_mgcp_param);
 
 		/* Parse the parameters */
-		while (tvb_lineend < tvb_len)
+		while (tvb_offset_exists(tvb, tvb_lineend))
 		{
 			old_lineend = tvb_lineend;
 			linelen = tvb_find_line_end(tvb, tvb_linebegin, -1, &tvb_lineend, FALSE);
@@ -1790,7 +1789,7 @@ static gint tvb_find_null_line(tvbuff_t* tvb, gint offset, gint len, gint* next_
 		tvb_current_len = tvb_reported_length_remaining(tvb, tvb_linebegin);
 		tvb_find_line_end(tvb, tvb_linebegin, tvb_current_len, &tvb_lineend, FALSE);
 		tempchar = tvb_get_guint8(tvb, tvb_linebegin);
-	} while (tempchar != '\r' && tempchar != '\n' && tvb_lineend <= maxoffset);
+	} while (tempchar != '\r' && tempchar != '\n' && tvb_lineend <= maxoffset && tvb_offset_exists(tvb, tvb_lineend));
 
 
 	*next_offset = tvb_lineend;
author	Pascal Quantin <pascal.quantin@gmail.com>	2015-02-10 13:49:28 +0100
committer	Pascal Quantin <pascal.quantin@gmail.com>	2015-02-10 14:02:20 +0000
commit	e915db7cc8c779368afef51c12241337b4d7beda (patch)
tree	0cf7356cb71db4ba4ed95448bc5113a2aabd6682 /epan/dissectors/packet-mgcp.c
parent	7369c25ad41ef075688420f53f353e8e6c4ddfdb (diff)