diff options
| author | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2018-11-09 15:16:35 -0500 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2018-11-10 07:43:04 +0000 |
| commit | 1ddaf1a0944ffe95d69717ac9fdc60824932f676 (patch) | |
| tree | e3d5a3fa55fd0a5c8d9684539d660ea22289abd0 | |
| parent | b0582230f339ac98b05527544e8c6c6668bf2566 (diff) | |
MMSE: catch length overflows to avoid infinite loop.
After fetching a length from the packet ensure those bytes exist to
avoid integer overflows by callers (while avoiding having to ensure
every caller checks for overflows).
Also add a check to ensure the loop in question is progressing through
the TVB; report a dissector bug if it doesn't.
Bug: 15250
Change-Id: I9434bfe9d530942fd45342690383df2decacdba1
Reviewed-on: https://code.wireshark.org/review/30560
Petri-Dish: Jeff Morriss <jeff.morriss.ws@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
| -rw-r--r-- | epan/dissectors/packet-mmse.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/epan/dissectors/packet-mmse.c b/epan/dissectors/packet-mmse.c index ffb4faa003..1e3d13abeb 100644 --- a/epan/dissectors/packet-mmse.c +++ b/epan/dissectors/packet-mmse.c @@ -487,6 +487,12 @@ get_value_length(tvbuff_t *tvb, guint offset, guint *byte_count, packet_info *pi field = tvb_get_guintvar(tvb, offset, byte_count, pinfo, &ei_mmse_oversized_uintvar); (*byte_count)++; } + + /* The packet says there are this many bytes; ensure they're there. + * We do this here because several callers do math on the length we + * return here and may not catch an overflow. + */ + tvb_ensure_bytes_exist(tvb, offset, field); return field; } @@ -689,7 +695,7 @@ static void dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, const char *message_type) { - guint offset; + guint offset, old_offset; guint8 field = 0; const char *strval; guint length; @@ -711,6 +717,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, proto_tree_add_uint(mmse_tree, hf_mmse_message_type, tvb, 0, 2, pdut); offset = 2; /* Skip Message-Type */ + old_offset = 1; /* * Cycle through MMS-headers @@ -1209,6 +1216,11 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, break; } DebugLog(("\tEnd(case)\n")); + + if (offset <= old_offset) { + REPORT_DISSECTOR_BUG("Offset isn't increasing (offset=%u, old offset=%u)", offset, old_offset); + } + old_offset = offset; } DebugLog(("\tEnd(switch)\n")); |