diff options
| author | Michal Labedzki <michal.labedzki@tieto.com> | 2015-11-08 17:35:24 +0100 |
|---|---|---|
| committer | Michal Labedzki <michal.labedzki@tieto.com> | 2015-11-20 16:02:27 +0000 |
| commit | 928ce9f96665f9d15267b9a468513a0ef1793d30 (patch) | |
| tree | d722dbc7d17941c42b64bf8df256c911c5b12b6f /epan/dissectors/packet-btl2cap.c | |
| parent | 7a7b293d80b490575323014972b68e991e1695df (diff) | |
Bluetooth: Fix remaining lengths
ACL and L2CAP payload contain its length field.
Of course it may be broken for many reasons, so
there is need to check it and show expert info warning.
Bug: 11677
Change-Id: I1988faec9faef70c95161513049ec16ceb8fcf45
Reviewed-on: https://code.wireshark.org/review/11982
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Diffstat (limited to 'epan/dissectors/packet-btl2cap.c')
| -rw-r--r-- | epan/dissectors/packet-btl2cap.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/epan/dissectors/packet-btl2cap.c b/epan/dissectors/packet-btl2cap.c index e304523c2d..3b1ed6472d 100644 --- a/epan/dissectors/packet-btl2cap.c +++ b/epan/dissectors/packet-btl2cap.c @@ -1883,6 +1883,7 @@ dissect_btl2cap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) gint offset = 0; proto_item *ti; proto_tree *btl2cap_tree; + proto_item *length_item; guint16 length; guint16 cid; guint16 psm; @@ -1912,7 +1913,13 @@ dissect_btl2cap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) } length = tvb_get_letohs(tvb, offset); - proto_tree_add_item(btl2cap_tree, hf_btl2cap_length, tvb, offset, 2, ENC_LITTLE_ENDIAN); + length_item = proto_tree_add_item(btl2cap_tree, hf_btl2cap_length, tvb, offset, 2, ENC_LITTLE_ENDIAN); + if (tvb_captured_length_remaining(tvb, offset) < length) { + expert_add_info(pinfo, length_item, &ei_btl2cap_length_bad); + /* Try to dissect as more as possible */ + length = tvb_captured_length_remaining(tvb, offset) - 4; + } + offset += 2; cid = tvb_get_letohs(tvb, offset); @@ -1959,7 +1966,8 @@ dissect_btl2cap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) if (cid == BTL2CAP_FIXED_CID_SIGNAL || cid == BTL2CAP_FIXED_CID_LE_SIGNAL) { /* This is a command packet*/ - while (offset < (length + 4)) { + while (offset < length + 4) { + proto_item *ti_command; proto_tree *btl2cap_cmd_tree; guint8 cmd_code; @@ -2798,7 +2806,7 @@ proto_register_btl2cap(void) static ei_register_info ei[] = { { &ei_btl2cap_parameter_mismatch, { "btl2cap.parameter_mismatch", PI_PROTOCOL, PI_WARN, "Unexpected frame", EXPFILL }}, { &ei_btl2cap_sdulength_bad, { "btl2cap.sdulength.bad", PI_MALFORMED, PI_WARN, "SDU length bad", EXPFILL }}, - { &ei_btl2cap_length_bad, { "btl2cap.length.bad", PI_MALFORMED, PI_WARN, "Length bad", EXPFILL }}, + { &ei_btl2cap_length_bad, { "btl2cap.length.bad", PI_MALFORMED, PI_WARN, "Length too short", EXPFILL }}, { &ei_btl2cap_unknown_command_code, { "btl2cap.unknown_command_code", PI_PROTOCOL, PI_WARN, "Unknown Command Code", EXPFILL }}, }; |