diff options
| author | Gerald Combs <gerald@wireshark.org> | 2020-09-21 11:47:24 -0700 |
|---|---|---|
| committer | AndersBroman <a.broman58@gmail.com> | 2020-09-23 05:13:16 +0000 |
| commit | 103d9140ae250f07f81603c4e9acc7d1b1a36730 (patch) | |
| tree | ec3a994c4da2f786642aab91a8c537641967d547 /epan/dissectors/packet-kafka.c | |
| parent | 99f6ac19693327833bb493ff656f0ece8c684799 (diff) | |
Kafka: Check returned offsets.
dissect_kafka_regular_bytes might return -1, so handle that in
dissect_kafka_message_old. Closes #16784.
Diffstat (limited to 'epan/dissectors/packet-kafka.c')
| -rw-r--r-- | epan/dissectors/packet-kafka.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/epan/dissectors/packet-kafka.c b/epan/dissectors/packet-kafka.c index ecbd9f492c..896243eee6 100644 --- a/epan/dissectors/packet-kafka.c +++ b/epan/dissectors/packet-kafka.c @@ -1886,6 +1886,7 @@ dissect_kafka_message_old(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, i tvbuff_t *decompressed_tvb; int decompressed_offset; int start_offset = offset; + int bytes_offset; gint8 magic_byte; guint8 codec; guint32 message_size; @@ -1913,7 +1914,13 @@ dissect_kafka_message_old(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, i offset += 8; } - offset = dissect_kafka_regular_bytes(subtree, hf_kafka_message_key, tvb, pinfo, offset, NULL, NULL); + bytes_offset = dissect_kafka_regular_bytes(subtree, hf_kafka_message_key, tvb, pinfo, offset, NULL, NULL); + if (bytes_offset > offset) { + offset = bytes_offset; + } else { + expert_add_info(pinfo, message_ti, &ei_kafka_bad_bytes_length); + return -1; + } /* * depending on the compression codec, the payload is the actual message payload (codes=none) @@ -1921,7 +1928,13 @@ dissect_kafka_message_old(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, i * is no such duality. */ if (codec == 0) { - offset = dissect_kafka_regular_bytes(subtree, hf_kafka_message_value, tvb, pinfo, offset, NULL, &length); + bytes_offset = dissect_kafka_regular_bytes(subtree, hf_kafka_message_value, tvb, pinfo, offset, NULL, &length); + if (bytes_offset > offset) { + offset = bytes_offset; + } else { + expert_add_info(pinfo, message_ti, &ei_kafka_bad_bytes_length); + return -1; + } } else { length = tvb_get_ntohl(tvb, offset); offset += 4; |