diff options
| author | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2013-06-04 02:01:53 +0000 |
|---|---|---|
| committer | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2013-06-04 02:01:53 +0000 |
| commit | 779d28d39039ada8970c910d8350fc2eb05cf00a (patch) | |
| tree | 6ff254bfc504b78523024be546e47b19a212c93e /epan/dissectors/packet-assa_r3.c | |
| parent | 29d51623c2b7a9ba970fccee6abb131e7fbc85c6 (diff) | |
Fix the fuzz failure reported (by me) in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8764 :
Apply the fix from bug 8539 (r48796) to another function (dissect_r3_upstreamcommand_queryconfig()):
Bail out of the item length we get (which we use to increment the offset) is 0.
Otherwise the offset does not advance and we loop forever.
While we're in there: get the item length just once (there's no need to call
tvb_get_guint8() a half dozen times when one will do).
svn path=/trunk/; revision=49744
Diffstat (limited to 'epan/dissectors/packet-assa_r3.c')
| -rw-r--r-- | epan/dissectors/packet-assa_r3.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/epan/dissectors/packet-assa_r3.c b/epan/dissectors/packet-assa_r3.c index 8392ea827c..03486e6a88 100644 --- a/epan/dissectors/packet-assa_r3.c +++ b/epan/dissectors/packet-assa_r3.c @@ -3912,23 +3912,30 @@ dissect_r3_upstreamcommand_queryconfig (tvbuff_t *tvb, guint32 start_offset, gui while (offset < tvb_reported_length (tvb)) { - proto_item *upstreamfield_item; + proto_item *upstreamfield_item, *pi; proto_tree *upstreamfield_tree; const gchar *ci; + guint8 item_length; ci = val_to_str_ext_const (tvb_get_guint8 (tvb, offset + 1), &r3_configitemnames_ext, "[Unknown Configuration Item]"); - upstreamfield_item = proto_tree_add_text (tree, tvb, offset + 0, tvb_get_guint8 (tvb, offset + 0), "Config Field: %s (%u)", ci, tvb_get_guint8 (tvb, offset + 1)); + item_length = tvb_get_guint8 (tvb, offset + 0); + upstreamfield_item = proto_tree_add_text (tree, tvb, offset + 0, item_length, "Config Field: %s (%u)", ci, tvb_get_guint8 (tvb, offset + 1)); upstreamfield_tree = proto_item_add_subtree (upstreamfield_item, ett_r3upstreamfield); - proto_tree_add_item (upstreamfield_tree, hf_r3_configitemlength, tvb, offset + 0, 1, ENC_LITTLE_ENDIAN); + pi = proto_tree_add_item (upstreamfield_tree, hf_r3_configitemlength, tvb, offset + 0, 1, ENC_LITTLE_ENDIAN); + if (item_length == 0) { + expert_add_info_format(pinfo, pi, PI_MALFORMED, PI_WARN, "Invalid item length"); + return; + } + proto_tree_add_item (upstreamfield_tree, hf_r3_configitem, tvb, offset + 1, 1, ENC_LITTLE_ENDIAN); proto_tree_add_item (upstreamfield_tree, hf_r3_configitemtype, tvb, offset + 2, 1, ENC_LITTLE_ENDIAN); switch (tvb_get_guint8 (tvb, offset + 2)) { case CONFIGTYPE_NONE : - proto_tree_add_item (upstreamfield_tree, hf_r3_configitemdata, tvb, offset + 3, tvb_get_guint8 (tvb, offset + 0) - 3, ENC_NA); + proto_tree_add_item (upstreamfield_tree, hf_r3_configitemdata, tvb, offset + 3, item_length - 3, ENC_NA); break; case CONFIGTYPE_BOOL : @@ -3948,15 +3955,15 @@ dissect_r3_upstreamcommand_queryconfig (tvbuff_t *tvb, guint32 start_offset, gui break; case CONFIGTYPE_STRING : - proto_tree_add_item (upstreamfield_tree, hf_r3_configitemdata_string, tvb, offset + 3, tvb_get_guint8 (tvb, offset + 0) - 3, ENC_ASCII|ENC_NA); + proto_tree_add_item (upstreamfield_tree, hf_r3_configitemdata_string, tvb, offset + 3, item_length - 3, ENC_ASCII|ENC_NA); break; default : - proto_tree_add_none_format (upstreamfield_tree, hf_r3_upstreamfielderror, tvb, offset + 3, tvb_get_guint8 (tvb, offset + 0) - 3, "Unknown Field Type"); + proto_tree_add_none_format (upstreamfield_tree, hf_r3_upstreamfielderror, tvb, offset + 3, item_length - 3, "Unknown Field Type"); break; } - offset += tvb_get_guint8 (tvb, offset + 0); + offset += item_length; } } |