aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGerald Combs <gerald@wireshark.org>2021-10-13 10:16:58 -0700
committerGerald Combs <gerald@wireshark.org>2021-10-18 10:30:39 -0700
commite15e987468ca5edcab0ccde70e7bea622783403e (patch)
tree7daeca143f958a47e0df45e51d498dde460231a0
parent3562d76d5af0124da5255479f1ef825685a4d455 (diff)
BT SDP: Don't overrun our continuation state buffer.
Fixes #17635.
-rw-r--r--epan/dissectors/packet-btsdp.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c
index 82bd2fd17a..a60b3051b4 100644
--- a/epan/dissectors/packet-btsdp.c
+++ b/epan/dissectors/packet-btsdp.c
@@ -564,6 +564,7 @@ static int * const hfx_pbap_pse_supported_features[] = {
static expert_field ei_btsdp_continuation_state_none = EI_INIT;
static expert_field ei_btsdp_continuation_state_large = EI_INIT;
static expert_field ei_data_element_value_large = EI_INIT;
+static expert_field ei_length_bad = EI_INIT;
static dissector_handle_t btsdp_handle;
@@ -1458,6 +1459,9 @@ dissect_continuation_state(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo,
return offset;
}
+// The only specification I could find says the max length is 16:
+// https://lost-contact.mit.edu/afs/nada.kth.se/misc/cas/documentation/bluetooth/bluetooth_e.pdf
+#define MAX_CONTINUATION_STATE_LEN 16
static gint
reassemble_continuation_state(tvbuff_t *tvb, packet_info *pinfo,
gint offset, guint tid, gboolean is_request,
@@ -1674,13 +1678,19 @@ reassemble_continuation_state(tvbuff_t *tvb, packet_info *pinfo,
}
} else {
gchar *continuation_state_buffer;
- guint8 continuation_state_length;
+ unsigned continuation_state_length;
continuation_state_length = tvb_get_guint8(tvb, offset);
offset++;
continuation_state_buffer = tvb_bytes_to_str(wmem_file_scope(), tvb, offset, continuation_state_length);
+ if (continuation_state_length > MAX_CONTINUATION_STATE_LEN) {
+ // Try to make do with what we can.
+ expert_add_info(pinfo, NULL, &ei_length_bad);
+ continuation_state_length = MAX_CONTINUATION_STATE_LEN;
+ }
+
if (!pinfo->fd->visited) {
if (is_request) {
tid_request = (tid_request_t *) wmem_new(wmem_file_scope(), tid_request_t);
@@ -6518,6 +6528,7 @@ proto_register_btsdp(void)
{ &ei_btsdp_continuation_state_none, { "btsdp.expert.continuation_state_none", PI_MALFORMED, PI_WARN, "There is no Continuation State", EXPFILL }},
{ &ei_btsdp_continuation_state_large, { "btsdp.expert.continuation_state_large", PI_MALFORMED, PI_WARN, "Continuation State data is longer then 16", EXPFILL }},
{ &ei_data_element_value_large, { "btsdp.expert.data_element.value.large", PI_MALFORMED, PI_WARN, "Data size exceeds the length of payload", EXPFILL }},
+ { &ei_length_bad, { "btsdp.expert.length.bad", PI_MALFORMED, PI_WARN, "Invalid length", EXPFILL }},
};
proto_btsdp = proto_register_protocol("Bluetooth SDP Protocol", "BT SDP", "btsdp");