diff options
| author | Pascal Quantin <pascal.quantin@gmail.com> | 2017-09-14 14:35:32 +0200 |
|---|---|---|
| committer | Michael Mann <mmann78@netscape.net> | 2017-09-14 13:31:10 +0000 |
| commit | afb9ff7982971aba6e42472de0db4c1bedfc641b (patch) | |
| tree | 845fc1ac6c4e369560b3a6417abe9e26869bf754 /epan/dissectors/packet-mbim.c | |
| parent | f63fc333625480d241a1265992ab34b389dd9ed6 (diff) | |
MBIM: stop pre sizing wmem arrays
In case of malformed packet, this can lead to an insane amount of
memory.
Instead let's use the automatic growth mecanism. This way the malformed
packet is caught by the dissection engine.
Bug: 14056
Change-Id: I7bf5b80a516210b341356f5d495f08d1dba05805
Reviewed-on: https://code.wireshark.org/review/23537
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/dissectors/packet-mbim.c')
| -rw-r--r-- | epan/dissectors/packet-mbim.c | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/epan/dissectors/packet-mbim.c b/epan/dissectors/packet-mbim.c index 0c6021933f..a5bdff90b3 100644 --- a/epan/dissectors/packet-mbim.c +++ b/epan/dissectors/packet-mbim.c @@ -2394,7 +2394,7 @@ mbim_dissect_subscriber_ready_status(tvbuff_t *tvb, packet_info *pinfo _U_, prot proto_tree_add_item_ret_uint(tree, hf_mbim_subscr_ready_status_elem_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &elem_count); offset += 4; if (elem_count) { - pair_list = wmem_array_sized_new(wmem_packet_scope(), sizeof(struct mbim_pair_list), elem_count); + pair_list = wmem_array_new(wmem_packet_scope(), sizeof(struct mbim_pair_list)); subtree = proto_tree_add_subtree(tree, tvb, offset, 8*elem_count, ett_mbim_pair_list, NULL, "Telephone Numbers Ref List"); for (i = 0; i < elem_count; i++) { proto_tree_add_item_ret_uint(subtree, hf_mbim_subscr_ready_status_tel_nb_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &pair_list_item.offset); @@ -2557,7 +2557,7 @@ mbim_dissect_providers(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint proto_tree_add_item_ret_uint(tree, hf_mbim_providers_elem_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &elem_count); offset += 4; if (elem_count) { - pair_list = wmem_array_sized_new(wmem_packet_scope(), sizeof(struct mbim_pair_list), elem_count); + pair_list = wmem_array_new(wmem_packet_scope(), sizeof(struct mbim_pair_list)); subtree = proto_tree_add_subtree(tree, tvb, offset, 8*elem_count, ett_mbim_pair_list, NULL, "Providers Ref List"); for (i = 0; i < elem_count; i++) { proto_tree_add_item_ret_uint(subtree, hf_mbim_providers_provider_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &pair_list_item.offset); @@ -2903,7 +2903,7 @@ mbim_dissect_provisioned_contexts_info(tvbuff_t *tvb, packet_info *pinfo, proto_ proto_tree_add_item_ret_uint(tree, hf_mbim_provisioned_contexts_info_elem_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &elem_count); offset += 4; if (elem_count) { - pair_list = wmem_array_sized_new(wmem_packet_scope(), sizeof(struct mbim_pair_list), elem_count); + pair_list = wmem_array_new(wmem_packet_scope(), sizeof(struct mbim_pair_list)); subtree = proto_tree_add_subtree(tree, tvb, offset, 8*elem_count, ett_mbim_pair_list, NULL, "Provisioned Context Ref List"); for (i = 0; i < elem_count; i++) { proto_tree_add_item_ret_uint(subtree, hf_mbim_provisioned_contexts_info_provisioned_context_offset, @@ -3088,7 +3088,7 @@ mbim_dissect_device_services_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree proto_tree_add_item(tree, hf_mbim_device_services_info_max_dss_sessions, tvb, offset, 4, ENC_LITTLE_ENDIAN); offset += 4; if (device_services_count) { - pair_list = wmem_array_sized_new(wmem_packet_scope(), sizeof(struct mbim_pair_list), device_services_count); + pair_list = wmem_array_new(wmem_packet_scope(), sizeof(struct mbim_pair_list)); subtree = proto_tree_add_subtree(tree, tvb, offset, 8*device_services_count, ett_mbim_pair_list, NULL, "Device Services Ref List"); for (i = 0; i < device_services_count; i++) { proto_tree_add_item_ret_uint(subtree, hf_mbim_device_services_info_device_services_offset, @@ -3153,7 +3153,7 @@ mbim_dissect_device_service_subscribe_list(tvbuff_t *tvb, packet_info *pinfo, pr proto_tree_add_item_ret_uint(tree, hf_mbim_device_service_subscribe_element_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &element_count); offset += 4; if (element_count) { - pair_list = wmem_array_sized_new(wmem_packet_scope(), sizeof(struct mbim_pair_list), element_count); + pair_list = wmem_array_new(wmem_packet_scope(), sizeof(struct mbim_pair_list)); subtree = proto_tree_add_subtree(tree, tvb, offset, 8*element_count, ett_mbim_pair_list, NULL, "Device Service Subscribe Ref List"); for (i = 0; i < element_count; i++) { proto_tree_add_item_ret_uint(subtree, hf_mbim_device_service_subscribe_device_service_offset, @@ -3235,7 +3235,7 @@ mbim_dissect_packet_filters(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree_add_item_ret_uint(tree, hf_mbim_packet_filters_packet_filters_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &packet_filters_count); offset += 4; if (packet_filters_count) { - pair_list = wmem_array_sized_new(wmem_packet_scope(), sizeof(struct mbim_pair_list), packet_filters_count); + pair_list = wmem_array_new(wmem_packet_scope(), sizeof(struct mbim_pair_list)); subtree = proto_tree_add_subtree(tree, tvb, offset, 8*packet_filters_count, ett_mbim_pair_list, NULL, "Packet Filter Ref List"); for (i = 0; i < packet_filters_count; i++) { proto_tree_add_item_ret_uint(subtree, hf_mbim_packet_filters_packet_filters_packet_filter_offset, @@ -3488,7 +3488,7 @@ mbim_dissect_sms_read_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree_add_item_ret_uint(tree, hf_mbim_sms_read_info_element_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &element_count); offset += 4; if (element_count) { - pair_list = wmem_array_sized_new(wmem_packet_scope(), sizeof(struct mbim_pair_list), element_count); + pair_list = wmem_array_new(wmem_packet_scope(), sizeof(struct mbim_pair_list)); subtree = proto_tree_add_subtree(tree, tvb, offset, 8*element_count, ett_mbim_pair_list, NULL, "SMS Ref List"); for (i = 0; i < element_count; i++) { proto_tree_add_item_ret_uint(subtree, hf_mbim_sms_read_info_sms_offset, @@ -3793,7 +3793,7 @@ mbim_dissect_phonebook_read_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree * proto_tree_add_item_ret_uint(tree, hf_mbim_phonebook_read_info_element_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &element_count); offset += 4; if (element_count) { - pair_list = wmem_array_sized_new(wmem_packet_scope(), sizeof(struct mbim_pair_list), element_count); + pair_list = wmem_array_new(wmem_packet_scope(), sizeof(struct mbim_pair_list)); subtree = proto_tree_add_subtree(tree, tvb, offset, 8*element_count, ett_mbim_pair_list, NULL, "Phonebook Ref List"); for (i = 0; i < element_count; i++) { proto_tree_add_item_ret_uint(subtree, hf_mbim_phonebook_read_info_phonebook_offset, @@ -4208,7 +4208,7 @@ mbim_dissect_adpclk_freq_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tre proto_tree_add_item_ret_uint(tree, hf_mbim_adpclk_freq_info_elem_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &elem_count); offset += 4; if (elem_count) { - pair_list = wmem_array_sized_new(wmem_packet_scope(), sizeof(struct mbim_pair_list), elem_count); + pair_list = wmem_array_new(wmem_packet_scope(), sizeof(struct mbim_pair_list)); subtree = proto_tree_add_subtree(tree, tvb, offset, 8*elem_count, ett_mbim_pair_list, NULL, "Element Offset Length Pair"); for (i = 0; i < elem_count; i++) { proto_tree_add_item_ret_uint(subtree, hf_mbim_adpclk_freq_info_adpclk_freq_value_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &pair_list_item.offset); @@ -4337,7 +4337,7 @@ mbim_dissect_atds_operators(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_tree_add_item_ret_uint(tree, hf_mbim_atds_operators_elem_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &elem_count); offset += 4; if (elem_count) { - pair_list = wmem_array_sized_new(wmem_packet_scope(), sizeof(struct mbim_pair_list), elem_count); + pair_list = wmem_array_new(wmem_packet_scope(), sizeof(struct mbim_pair_list)); subtree = proto_tree_add_subtree(tree, tvb, offset, 8*elem_count, ett_mbim_pair_list, NULL, "Operators List"); for (i = 0; i < elem_count; i++) { proto_tree_add_item_ret_uint(subtree, hf_mbim_atds_operators_operator_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN, &pair_list_item.offset); @@ -4412,7 +4412,7 @@ mbim_dissect_atds_projection_tables(tvbuff_t *tvb, packet_info *pinfo, proto_tre proto_tree_add_item_ret_uint(tree, hf_mbim_atds_projection_tables_elem_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &elem_count); offset += 4; if (elem_count) { - pair_list = wmem_array_sized_new(wmem_packet_scope(), sizeof(struct mbim_pair_list), elem_count); + pair_list = wmem_array_new(wmem_packet_scope(), sizeof(struct mbim_pair_list)); subtree = proto_tree_add_subtree(tree, tvb, offset, 8*elem_count, ett_mbim_pair_list, NULL, "Projection Tables List"); for (i = 0; i < elem_count; i++) { proto_tree_add_item_ret_uint(subtree, hf_mbim_atds_projection_tables_projection_table_offset, @@ -4449,7 +4449,7 @@ mbim_dissect_multiflow_tft_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *t proto_tree_add_item_ret_uint(tree, hf_mbim_multiflow_tft_info_elem_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &elem_count); offset += 4; if (elem_count) { - pair_list = wmem_array_sized_new(wmem_packet_scope(), sizeof(struct mbim_pair_list), elem_count); + pair_list = wmem_array_new(wmem_packet_scope(), sizeof(struct mbim_pair_list)); subtree = proto_tree_add_subtree(tree, tvb, offset, 8*elem_count, ett_mbim_pair_list, NULL, "TFT List"); for (i = 0; i < elem_count; i++) { proto_tree_add_item_ret_uint(subtree, hf_mbim_multiflow_tft_info_tft_list_offset, |