diff options
| author | Gerald Combs <gerald@wireshark.org> | 2020-04-06 10:15:31 -0700 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2020-04-07 06:49:40 +0000 |
| commit | 15dc2f6bd4c9a674333cbc97260362524d5364de (patch) | |
| tree | b5a8252a58ac9226654af290919be94e71a57249 /epan/dissectors/packet-bacapp.c | |
| parent | 3b7ae88961b3ccc36f3bad52677fef3bfcf8dc3c (diff) | |
BACapp: Add a nesting / recursion check.
Track our recursion depth in fAbstractSyntaxNType. It calls several
functions which in turn call it, which makes it easy to overflow the
stack.
Bug: 16474
Change-Id: Ibad29272f99449bfa13b7422692e20ba8a79e19c
Reviewed-on: https://code.wireshark.org/review/36725
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/dissectors/packet-bacapp.c')
| -rw-r--r-- | epan/dissectors/packet-bacapp.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/epan/dissectors/packet-bacapp.c b/epan/dissectors/packet-bacapp.c index 5f8f81fcab..658723e374 100644 --- a/epan/dissectors/packet-bacapp.c +++ b/epan/dissectors/packet-bacapp.c @@ -19,6 +19,7 @@ #include <epan/to_str.h> #include <epan/reassemble.h> #include <epan/expert.h> +#include <epan/proto_data.h> #include <epan/stats_tree.h> #include "packet-bacapp.h" @@ -43,6 +44,7 @@ static int bacapp_tap = -1; #define BACAPP_SEGMENT_NAK 0x02 #define BACAPP_SENT_BY 0x01 +#define BACAPP_MAX_RECURSION_DEPTH 100 // Arbitrary /** * dissect_bacapp ::= CHOICE { @@ -6231,6 +6233,7 @@ static gint ett_bacapp_value = -1; static expert_field ei_bacapp_bad_length = EI_INIT; static expert_field ei_bacapp_bad_tag = EI_INIT; static expert_field ei_bacapp_opening_tag = EI_INIT; +static expert_field ei_bacapp_max_recursion_depth_reached = EI_INIT; static gint32 propertyIdentifier = -1; static gint32 propertyArrayIndex = -1; @@ -8494,6 +8497,14 @@ fAbstractSyntaxNType(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint } else { g_snprintf(ar, sizeof(ar), "Abstract Type: "); } + + unsigned recursion_depth = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_bacapp, 0)); + if (++recursion_depth >= BACAPP_MAX_RECURSION_DEPTH) { + proto_tree_add_expert(tree, pinfo, &ei_bacapp_max_recursion_depth_reached, tvb, 0, 0); + return offset; + } + p_add_proto_data(pinfo->pool, pinfo, proto_bacapp, 0, GUINT_TO_POINTER(recursion_depth)); + while (tvb_reported_length_remaining(tvb, offset) > 0) { /* exit loop if nothing happens inside */ lastoffset = offset; fTagHeader(tvb, pinfo, offset, &tag_no, &tag_info, &lvt); @@ -9187,6 +9198,9 @@ fAbstractSyntaxNType(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint } if (offset <= lastoffset) break; /* nothing happened, exit loop */ } + recursion_depth = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_bacapp, 0)); + recursion_depth--; + p_add_proto_data(pinfo->pool, pinfo, proto_bacapp, 0, GUINT_TO_POINTER(recursion_depth)); return offset; } @@ -15345,6 +15359,9 @@ dissect_bacapp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _ bacinfo.instance_ident = NULL; bacinfo.object_ident = NULL; + /* Recursion depth */ + p_add_proto_data(pinfo->pool, pinfo, proto_bacapp, 0, GUINT_TO_POINTER(0)); + switch (bacapp_type) { case BACAPP_TYPE_CONFIRMED_SERVICE_REQUEST: /* segmented messages have 2 additional bytes */ @@ -15861,6 +15878,8 @@ proto_register_bacapp(void) { &ei_bacapp_bad_length, { "bacapp.bad_length", PI_MALFORMED, PI_ERROR, "Wrong length indicated", EXPFILL }}, { &ei_bacapp_bad_tag, { "bacapp.bad_tag", PI_MALFORMED, PI_ERROR, "Wrong tag found", EXPFILL }}, { &ei_bacapp_opening_tag, { "bacapp.bad_opening_tag", PI_MALFORMED, PI_ERROR, "Expected Opening Tag!", EXPFILL }}, + { &ei_bacapp_max_recursion_depth_reached, { "bacapp.max_recursion_depth_reached", + PI_PROTOCOL, PI_WARN, "Maximum allowed recursion depth reached. Dissection stopped.", EXPFILL }} }; expert_module_t* expert_bacapp; |