diff options
| author | basakkal <basakkalfa@gmail.com> | 2018-10-02 04:59:23 -0700 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2018-10-03 03:51:14 +0000 |
| commit | e885798f22a911c2b23e6e66f9dc98b3b2cc167c (patch) | |
| tree | 38364962db378a422ec836cd0d1990cf078a7116 | |
| parent | 925f8119d7d4f42cf5f035dd308e4a168e92dd23 (diff) | |
s7comm dissector infinite loop error is fixed.
When list_count and list_len are large numbers, their
multiplication exceeds guint16. The multiplication is casted to
guint32. list_len was controlled whether it is 0 or not. However,
list_count should also have been controlled. The control for
list_count is also added to the code. Moreover, if their
multiplication is equal to zero, it should be checked before or in
for loop since it causes infinite loop and it adds more than expected
szl data trees.
Change-Id: I4bb2c076ef830581e529fea05a1d9175feab171c
Reviewed-on: https://code.wireshark.org/review/29979
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
| -rw-r--r-- | epan/dissectors/packet-s7comm_szl_ids.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/epan/dissectors/packet-s7comm_szl_ids.c b/epan/dissectors/packet-s7comm_szl_ids.c index a7d92354ab..e02de13534 100644 --- a/epan/dissectors/packet-s7comm_szl_ids.c +++ b/epan/dissectors/packet-s7comm_szl_ids.c @@ -3998,8 +3998,8 @@ s7comm_decode_ud_cpu_szl_subfunc(tvbuff_t *tvb, * it's not possible to decode this and following telegrams without knowing the previous requests. */ tbytes = 0; - if (list_len > 0) { - if ((list_count * list_len) > (len - 8)) { + if (list_len > 0 && list_count > 0) { + if ( (guint32) (list_count * list_len) > (guint32) (len - 8)) { list_count = (len - 8) / list_len; /* remind the number of trailing bytes */ if (list_count > 0) { @@ -4007,10 +4007,14 @@ s7comm_decode_ud_cpu_szl_subfunc(tvbuff_t *tvb, } } } + else { + tbytes = len - 8; + } + offset += 2; /* Add a Data element for each partlist */ if (len > 8) { /* minimum length of a correct szl data part is 8 bytes */ - for (i = 1; i <= list_count; i++) { + for (i = 1; i <= list_count && (list_count * list_len != 0); i++) { /* Add a separate tree for the SZL data */ szl_item = proto_tree_add_item(data_tree, hf_s7comm_userdata_szl_tree, tvb, offset, list_len, ENC_NA); szl_item_tree = proto_item_add_subtree(szl_item, ett_s7comm_szl); |