diff options
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-dtls.c | 6 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl-utils.h | 10 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl.c | 6 |
3 files changed, 19 insertions, 3 deletions
diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c index 6878efd3f7..21e3ec6226 100644 --- a/epan/dissectors/packet-dtls.c +++ b/epan/dissectors/packet-dtls.c @@ -668,6 +668,7 @@ dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint8 next_byte; proto_tree *ti; proto_tree *dtls_record_tree; + proto_item *pi; SslDataInfo *appl_data; heur_dtbl_entry_t *hdtbl_entry; @@ -734,8 +735,11 @@ dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo, offset += 6; /* add the length */ - proto_tree_add_uint(dtls_record_tree, hf_dtls_record_length, tvb, + pi = proto_tree_add_uint(dtls_record_tree, hf_dtls_record_length, tvb, offset, 2, record_length); + if (record_length > TLS_MAX_RECORD_LENGTH) { + expert_add_info(pinfo, pi, &dissect_dtls_hf.ei.record_length_invalid); + } offset += 2; /* move past length field itself */ /* diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h index e59dc72d9c..47f3311ecd 100644 --- a/epan/dissectors/packet-ssl-utils.h +++ b/epan/dissectors/packet-ssl-utils.h @@ -275,6 +275,9 @@ typedef enum { #define SSLV2_MAX_SESSION_ID_LENGTH_IN_BYTES 16 +/* Record fragment lengths MUST NOT exceed 2^14 (= 0x4000) */ +#define TLS_MAX_RECORD_LENGTH 0x4000 + typedef struct _SslCipherSuite { gint number; gint kex; @@ -794,6 +797,7 @@ typedef struct ssl_common_dissect { expert_field hs_cipher_suites_len_bad; expert_field hs_sig_hash_algs_bad; expert_field resumed; + expert_field record_length_invalid; /* do not forget to update SSL_COMMON_LIST_T and SSL_COMMON_EI_LIST! */ } ei; @@ -898,7 +902,7 @@ ssl_common_dissect_t name = { \ -1, -1, -1, -1, -1, -1, -1, \ }, \ /* ei */ { \ - EI_INIT, EI_INIT, EI_INIT, EI_INIT, EI_INIT, \ + EI_INIT, EI_INIT, EI_INIT, EI_INIT, EI_INIT, EI_INIT, \ }, \ } /* }}} */ @@ -1546,6 +1550,10 @@ ssl_common_dissect_t name = { \ { & name .ei.resumed, \ { prefix ".resumed", PI_SEQUENCE, PI_NOTE, \ "This session reuses previously negotiated keys (Session resumption)", EXPFILL } \ + }, \ + { & name .ei.record_length_invalid, \ + { prefix ".record.length.invalid", PI_PROTOCOL, PI_ERROR, \ + "Record fragment length must not exceed 2^14", EXPFILL } \ } /* }}} */ diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c index c50d4bca3b..0e9e6ea137 100644 --- a/epan/dissectors/packet-ssl.c +++ b/epan/dissectors/packet-ssl.c @@ -1514,6 +1514,7 @@ dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, guint8 next_byte; proto_tree *ti; proto_tree *ssl_record_tree; + proto_item *pi; guint32 available_bytes; ti = NULL; @@ -1635,8 +1636,11 @@ dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, offset += 2; /* add the length */ - proto_tree_add_uint(ssl_record_tree, hf_ssl_record_length, tvb, + pi = proto_tree_add_uint(ssl_record_tree, hf_ssl_record_length, tvb, offset, 2, record_length); + if (record_length > TLS_MAX_RECORD_LENGTH) { + expert_add_info(pinfo, pi, &dissect_ssl3_hf.ei.record_length_invalid); + } offset += 2; /* move past length field itself */ /* |