aboutsummaryrefslogtreecommitdiffstats
path: root/epan
diff options
context:
space:
mode:
authorPascal Quantin <pascal.quantin@gmail.com>2017-06-19 21:23:47 +0200
committerAnders Broman <a.broman58@gmail.com>2017-06-19 23:47:35 +0000
commit246cbbc2ea6dd0a3a69a1aaa94db244a77565353 (patch)
tree37da1add602490f8c385070b532836ec133fb558 /epan
parentbb58b3a2643ab81560d84b00be3a9b9e86f0393c (diff)
AMQP: fix a stack overflow when offset goes back and forth
Previous code assumed that list decoding was successful and that some bytes were consumed. Let's explicitly check this. Bug: 13780 Change-Id: I3546b093f309f2b8096f01bc9987ac5ad9e029eb Reviewed-on: https://code.wireshark.org/review/22235 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan')
-rw-r--r--epan/dissectors/packet-amqp.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/epan/dissectors/packet-amqp.c b/epan/dissectors/packet-amqp.c
index 44899370a6..303bd3bbd2 100644
--- a/epan/dissectors/packet-amqp.c
+++ b/epan/dissectors/packet-amqp.c
@@ -9978,7 +9978,13 @@ get_amqp_1_0_value_formatter(tvbuff_t *tvb,
item,
hf_amqp_type,
hf_amqp_subtype_count,
- hf_amqp_subtypes, name)-1; /* "-1" due to decode type again in the method */
+ hf_amqp_subtypes, name);
+ if (*length_size == 0) {
+ /* something went wrong during list dissection; let's stop here */
+ *length_size = tvb_reported_length_remaining(tvb, offset);
+ } else {
+ *length_size -= 1; /* "-1" due to decode type again in the method */
+ }
break;
case AMQP_1_0_TYPE_MAP8:
case AMQP_1_0_TYPE_MAP32:
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-26 11:20:47 +0000