diff options
author | Martin Mathieson <martin.r.mathieson@googlemail.com> | 2015-08-03 12:02:37 +0100 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2015-08-03 12:20:52 +0000 |
commit | 56ee4b1ca11b219b5a03440bac922e98e392bd7a (patch) | |
tree | 24f8750f3e7205caac6666602800b923a694138c /epan/dissectors/packet-tftp.c | |
parent | 9557c73f81efad68ce3961a5ec18de2d985c4bb1 (diff) |
TFTP: strengthen heuristic used over STUN/TURN
Change-Id: I133199abda100a89e219804c3003dee76389c43a
Reviewed-on: https://code.wireshark.org/review/9839
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Diffstat (limited to 'epan/dissectors/packet-tftp.c')
-rw-r--r-- | epan/dissectors/packet-tftp.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/epan/dissectors/packet-tftp.c b/epan/dissectors/packet-tftp.c index feb3205916..4b50a28a29 100644 --- a/epan/dissectors/packet-tftp.c +++ b/epan/dissectors/packet-tftp.c @@ -221,9 +221,11 @@ static void dissect_tftp_message(tftp_conv_info_t *tftp_info, col_set_str(pinfo->cinfo, COL_PROTOCOL, "TFTP"); + /* Protocol root */ ti = proto_tree_add_item(tree, proto_tftp, tvb, offset, -1, ENC_NA); tftp_tree = proto_item_add_subtree(ti, ett_tftp); + /* Opcode */ opcode = tvb_get_ntohs(tvb, offset); proto_tree_add_uint(tftp_tree, hf_tftp_opcode, tvb, offset, 2, opcode); col_add_str(pinfo->cinfo, COL_INFO, @@ -472,6 +474,24 @@ dissect_embeddedtftp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, v switch (opcode) { case TFTP_RRQ: case TFTP_WRQ: + /* These 2 opcodes have a NULL-terminated source file name after opcode. Verify */ + { + gint char_offset = 1; + while (tvb_captured_length_remaining(tvb, char_offset)) { + gchar c = (gchar)tvb_get_guint8(tvb, char_offset++); + if (c == '\0') { + /* NULL termination found - continue with dissection */ + break; + } + else if (!g_ascii_isprint(c)) { + /* Not part of a file name - give up now */ + return FALSE; + } + } + /* Would have to have a short capture length to not include the whole filename, + but fall through here anyway rather than returning FALSE */ + } + /* Intentionally dropping through here... */ case TFTP_DATA: case TFTP_ACK: case TFTP_OACK: |