diff options
author | Pascal Quantin <pascal.quantin@gmail.com> | 2017-06-19 21:23:47 +0200 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2017-06-19 23:47:35 +0000 |
commit | 246cbbc2ea6dd0a3a69a1aaa94db244a77565353 (patch) | |
tree | 37da1add602490f8c385070b532836ec133fb558 /epan | |
parent | bb58b3a2643ab81560d84b00be3a9b9e86f0393c (diff) |
AMQP: fix a stack overflow when offset goes back and forth
Previous code assumed that list decoding was successful and that some
bytes were consumed. Let's explicitly check this.
Bug: 13780
Change-Id: I3546b093f309f2b8096f01bc9987ac5ad9e029eb
Reviewed-on: https://code.wireshark.org/review/22235
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-amqp.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/epan/dissectors/packet-amqp.c b/epan/dissectors/packet-amqp.c index 44899370a6..303bd3bbd2 100644 --- a/epan/dissectors/packet-amqp.c +++ b/epan/dissectors/packet-amqp.c @@ -9978,7 +9978,13 @@ get_amqp_1_0_value_formatter(tvbuff_t *tvb, item, hf_amqp_type, hf_amqp_subtype_count, - hf_amqp_subtypes, name)-1; /* "-1" due to decode type again in the method */ + hf_amqp_subtypes, name); + if (*length_size == 0) { + /* something went wrong during list dissection; let's stop here */ + *length_size = tvb_reported_length_remaining(tvb, offset); + } else { + *length_size -= 1; /* "-1" due to decode type again in the method */ + } break; case AMQP_1_0_TYPE_MAP8: case AMQP_1_0_TYPE_MAP32: |