diff options
author | Gerald Combs <gerald@wireshark.org> | 2012-08-06 23:12:13 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2012-08-06 23:12:13 +0000 |
commit | 68920ce95a7a5853398faa2e3c484c91863e1511 (patch) | |
tree | cd3505ce4e3d12c2b2519809954203855cd578db /epan/dissectors/packet-xtp.c | |
parent | 5a47e80ffe24129fee078490057db90c97bc8d89 (diff) |
Add a maximum span length check to XTP. Fixes a crash discovered by Ben
Schmidt.
Just use proto_tree_add_item() instead of allocating a
big-ol-honkin'-block of guint64s and adding their values to the tree via
proto_tree_add_uint64().
Dissection *should* still work correctly but I can't find any XTP
captures for testing.
svn path=/trunk/; revision=44289
Diffstat (limited to 'epan/dissectors/packet-xtp.c')
-rw-r--r-- | epan/dissectors/packet-xtp.c | 36 |
1 files changed, 14 insertions, 22 deletions
diff --git a/epan/dissectors/packet-xtp.c b/epan/dissectors/packet-xtp.c index 589681c4c1..4533efd7b2 100644 --- a/epan/dissectors/packet-xtp.c +++ b/epan/dissectors/packet-xtp.c @@ -32,6 +32,7 @@ #include <glib.h> #include <epan/packet.h> +#include <epan/expert.h> #include <epan/ipproto.h> #include <epan/in_cksum.h> @@ -727,6 +728,7 @@ dissect_xtp_first(tvbuff_t *tvb, proto_tree *tree, guint32 offset) { return; } +#define XTP_MAX_NSPANS 10000 /* Arbitrary. (Documentation link is dead.) */ static void dissect_xtp_ecntl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint32 offset) { @@ -735,8 +737,7 @@ dissect_xtp_ecntl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_item *top_ti; proto_tree *xtp_subtree; struct xtp_ecntl ecntl[1]; - guint64 *spans, *p; - guint32 spans_len; + guint spans_len; guint i; top_ti = proto_tree_add_text(tree, tvb, offset, len, @@ -769,21 +770,15 @@ dissect_xtp_ecntl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, offset += 4; len = len + XTP_HEADER_LEN - offset; spans_len = 16 * ecntl->nspan; + if (len != spans_len) { - proto_item_append_text(top_ti, - ", bogus spans field length (%u, must be %u)", - len, spans_len); - return; + expert_add_info_format(pinfo, top_ti, PI_MALFORMED, PI_ERROR, "Number of spans (%u) incorrect. Should be %u.", ecntl->nspan, len); + THROW(ReportedBoundsError); } - /* spans(16n) */ - spans = ep_alloc0(spans_len); - p = spans; - for (i = 0; i < ecntl->nspan*2; i++) { - guint64 span = tvb_get_ntohl(tvb, offset); - span <<= 32; - span += tvb_get_ntohl(tvb, offset+4); - *p++ = span; - offset += 8; + + if (ecntl->nspan > XTP_MAX_NSPANS) { + expert_add_info_format(pinfo, top_ti, PI_MALFORMED, PI_ERROR, "Too many spans: %u", ecntl->nspan); + THROW(ReportedBoundsError); } /** add summary **/ @@ -815,15 +810,12 @@ dissect_xtp_ecntl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, tvb, offset, 4, ecntl->nspan); offset += 4; /* spans(16n) */ - p = spans; for (i = 0; i < ecntl->nspan; i++) { - proto_tree_add_uint64(xtp_subtree, hf_xtp_ecntl_span_left, - tvb, offset, 8, *p); - p++; + proto_tree_add_item(xtp_subtree, hf_xtp_ecntl_span_left, + tvb, offset, 8, ENC_LITTLE_ENDIAN); offset += 8; - proto_tree_add_uint64(xtp_subtree, hf_xtp_ecntl_span_right, - tvb, offset, 8, *p); - p++; + proto_tree_add_item(xtp_subtree, hf_xtp_ecntl_span_right, + tvb, offset, 8, ENC_LITTLE_ENDIAN); offset += 8; } |