diff options
| author | Dario Lombardo <lomato@gmail.com> | 2019-11-30 23:49:20 +0100 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2019-12-05 05:40:17 +0000 |
| commit | 4b673a14d01d7ae115f04dae1e777f71f7c51889 (patch) | |
| tree | fb6a3c12881066cc03f6653b08b54d0a7fd82d96 /epan/dissectors/packet-tipc.c | |
| parent | 469228a2e555d16a54dd31f73426d50f57b2ba50 (diff) | |
tipc: check message bundle size before using it.
Bug: 16240
Change-Id: I3aaf32f6b2b0df1a809d318868cf5523a9158105
Reviewed-on: https://code.wireshark.org/review/35264
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/dissectors/packet-tipc.c')
| -rw-r--r-- | epan/dissectors/packet-tipc.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/epan/dissectors/packet-tipc.c b/epan/dissectors/packet-tipc.c index 570566b205..d9cf96f48c 100644 --- a/epan/dissectors/packet-tipc.c +++ b/epan/dissectors/packet-tipc.c @@ -180,6 +180,7 @@ static gint ett_tipc = -1; static gint ett_tipc_data = -1; static expert_field ei_tipc_field_not_specified = EI_INIT; +static expert_field ei_tipc_invalid_bundle_size = EI_INIT; static int tipc_address_type = -1; @@ -2087,13 +2088,19 @@ dissect_tipc_int_prot_msg(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tipc_tr proto_tree_add_item(tipc_tree, hf_tipc_message_bundle, tvb, offset, -1, ENC_NA); while ((guint32)offset < msg_size) { msg_no++; - msg_in_bundle_size = tvb_get_ntohl(tvb, offset); + msg_in_bundle_size = tvb_get_ntohl(tvb, offset) & 0x1FFFF; item = proto_tree_add_uint_format(tipc_tree, hf_tipc_msg_no_bundle, tvb, offset, 1, msg_no, "%u Message in Bundle", msg_no); - proto_item_set_len(item, msg_in_bundle_size); - data_tvb = tvb_new_subset_length(tvb, offset, msg_in_bundle_size); - col_set_fence(pinfo->cinfo, COL_INFO); - dissect_tipc(data_tvb, pinfo, tipc_tree, NULL); - offset = offset + msg_in_bundle_size; + gint remaining = tvb_reported_length_remaining(tvb, offset); + if (remaining > 0 && msg_in_bundle_size <= (guint)remaining) { + proto_item_set_len(item, msg_in_bundle_size); + data_tvb = tvb_new_subset_length(tvb, offset, msg_in_bundle_size); + col_set_fence(pinfo->cinfo, COL_INFO); + dissect_tipc(data_tvb, pinfo, tipc_tree, NULL); + offset += msg_in_bundle_size; + } else { + proto_tree_add_expert(tipc_tree, pinfo, &ei_tipc_invalid_bundle_size, tvb, offset, 4); + break; + } } break; default: @@ -3037,6 +3044,7 @@ proto_register_tipc(void) static ei_register_info ei[] = { { &ei_tipc_field_not_specified, { "tipc.field_not_specified", PI_PROTOCOL, PI_WARN, "This field is not specified in TIPC v7", EXPFILL }}, + { &ei_tipc_invalid_bundle_size, { "tipc.invalid_bundle_size", PI_PROTOCOL, PI_WARN, "Invalid message bundle size", EXPFILL }}, }; module_t *tipc_module; |