aboutsummaryrefslogtreecommitdiffstats
path: root/epan/dissectors/packet-mmse.c
diff options
context:
space:
mode:
authorPascal Quantin <pascal.quantin@gmail.com>2016-07-25 17:08:26 +0200
committerAnders Broman <a.broman58@gmail.com>2016-07-26 03:53:29 +0000
commit2193bea3212d74e2a907152055e27d409b59485e (patch)
tree74b12a6513498dcadf50878dbaf056b6b99939cd /epan/dissectors/packet-mmse.c
parent56706427f53cc64793870bf072c2c06248ae88f3 (diff)
WAP: check that tvb_get_guintvar does not overflow
Bug: 12661 Change-Id: I2ef857d6be6595fd89f3dbb8d41c1c70d550ad93 Reviewed-on: https://code.wireshark.org/review/16665 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/dissectors/packet-mmse.c')
-rw-r--r--epan/dissectors/packet-mmse.c59
1 files changed, 36 insertions, 23 deletions
diff --git a/epan/dissectors/packet-mmse.c b/epan/dissectors/packet-mmse.c
index 9f392ddcf0..561d1e1541 100644
--- a/epan/dissectors/packet-mmse.c
+++ b/epan/dissectors/packet-mmse.c
@@ -35,6 +35,7 @@
#include <epan/packet.h>
+#include <epan/expert.h>
#include <epan/to_str.h>
#include <epan/strutil.h>
#include "packet-wap.h"
@@ -248,6 +249,8 @@ static int hf_mmse_header_bytes = -1;
static gint ett_mmse = -1;
static gint ett_mmse_hdr_details = -1;
+static expert_field ei_mmse_oversized_uintvar = EI_INIT;
+
/*
* Valuestrings for PDU types
*/
@@ -480,11 +483,12 @@ get_text_string(tvbuff_t *tvb, guint offset, const char **strval)
* \param offset Offset within that buffer
* \param byte_count Returns the length in bytes of
* the "Value-length" field.
+ * \param pinfo packet_info structure
*
* \return The actual value of "Value-length"
*/
static guint
-get_value_length(tvbuff_t *tvb, guint offset, guint *byte_count)
+get_value_length(tvbuff_t *tvb, guint offset, guint *byte_count, packet_info *pinfo)
{
guint field;
@@ -492,7 +496,7 @@ get_value_length(tvbuff_t *tvb, guint offset, guint *byte_count)
if (field < 31)
*byte_count = 1;
else { /* Must be 31 so, Uintvar follows */
- field = tvb_get_guintvar(tvb, offset, byte_count);
+ field = tvb_get_guintvar(tvb, offset, byte_count, pinfo, &ei_mmse_oversized_uintvar);
(*byte_count)++;
}
return field;
@@ -511,7 +515,7 @@ get_value_length(tvbuff_t *tvb, guint offset, guint *byte_count)
* \return The length in bytes of the entire field
*/
static guint
-get_encoded_strval(tvbuff_t *tvb, guint offset, const char **strval)
+get_encoded_strval(tvbuff_t *tvb, guint offset, const char **strval, packet_info *pinfo)
{
guint field;
guint length;
@@ -520,7 +524,7 @@ get_encoded_strval(tvbuff_t *tvb, guint offset, const char **strval)
field = tvb_get_guint8(tvb, offset);
if (field < 32) {
- length = get_value_length(tvb, offset, &count);
+ length = get_value_length(tvb, offset, &count, pinfo);
if (length < 2) {
*strval = "";
} else {
@@ -774,7 +778,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
}
break;
case MM_BCC_HDR: /* Encoded-string-value */
- length = get_encoded_strval(tvb, offset, &strval);
+ length = get_encoded_strval(tvb, offset, &strval, pinfo);
if (tree) {
proto_tree_add_string(mmse_tree, hf_mmse_bcc, tvb,
offset - 1, length + 1, strval);
@@ -782,7 +786,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
offset += length;
break;
case MM_CC_HDR: /* Encoded-string-value */
- length = get_encoded_strval(tvb, offset, &strval);
+ length = get_encoded_strval(tvb, offset, &strval, pinfo);
if (tree) {
proto_tree_add_string(mmse_tree, hf_mmse_cc, tvb,
offset - 1, length + 1, strval);
@@ -796,7 +800,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
if (length == 0x1F) {
guint length_len = 0;
length = tvb_get_guintvar(tvb, offset + 1,
- &length_len);
+ &length_len, pinfo, &ei_mmse_oversized_uintvar);
length += 1 + length_len;
} else {
length += 1;
@@ -841,7 +845,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
* Value-length(Absolute-token Date-value|
* Relative-token Delta-seconds-value)
*/
- length = get_value_length(tvb, offset, &count);
+ length = get_value_length(tvb, offset, &count, pinfo);
field = tvb_get_guint8(tvb, offset + count);
if (tree) {
guint tval;
@@ -870,7 +874,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
* Value-length(Absolute-token Date-value|
* Relative-token Delta-seconds-value)
*/
- length = get_value_length(tvb, offset, &count);
+ length = get_value_length(tvb, offset, &count, pinfo);
field = tvb_get_guint8(tvb, offset + count);
if (tree) {
guint tval;
@@ -897,7 +901,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
* Value-length(Address-present-token Encoded-string-value
* |Insert-address-token)
*/
- length = get_value_length(tvb, offset, &count);
+ length = get_value_length(tvb, offset, &count, pinfo);
if (tree) {
field = tvb_get_guint8(tvb, offset + count);
if (field == 0x81) {
@@ -906,7 +910,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
"<insert address>");
} else {
(void) get_encoded_strval(tvb, offset + count + 1,
- &strval);
+ &strval, pinfo);
proto_tree_add_string(mmse_tree, hf_mmse_from, tvb,
offset-1, length + count + 1, strval);
}
@@ -992,7 +996,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
if (length == 0x1F) {
guint length_len = 0;
length = tvb_get_guintvar(tvb, offset + 1,
- &length_len);
+ &length_len, pinfo, &ei_mmse_oversized_uintvar);
length += 1 + length_len;
} else {
length += 1;
@@ -1004,7 +1008,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
"<Undecoded value for m-mbox-delete-conf>");
}
} else {
- length = get_encoded_strval(tvb, offset, &strval);
+ length = get_encoded_strval(tvb, offset, &strval, pinfo);
if (tree) {
proto_tree_add_string(mmse_tree,
hf_mmse_response_text, tvb, offset - 1,
@@ -1028,7 +1032,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
}
break;
case MM_SUBJECT_HDR: /* Encoded-string-value */
- length = get_encoded_strval(tvb, offset, &strval);
+ length = get_encoded_strval(tvb, offset, &strval, pinfo);
if (tree) {
proto_tree_add_string(mmse_tree, hf_mmse_subject, tvb,
offset - 1, length + 1, strval);
@@ -1036,7 +1040,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
offset += length;
break;
case MM_TO_HDR: /* Encoded-string-value */
- length = get_encoded_strval(tvb, offset, &strval);
+ length = get_encoded_strval(tvb, offset, &strval, pinfo);
if (tree) {
proto_tree_add_string(mmse_tree, hf_mmse_to, tvb,
offset - 1, length + 1, strval);
@@ -1061,7 +1065,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
if (length == 0x1F) {
guint length_len = 0;
length = tvb_get_guintvar(tvb, offset + 1,
- &length_len);
+ &length_len, pinfo, &ei_mmse_oversized_uintvar);
length += 1 + length_len;
} else {
length += 1;
@@ -1074,7 +1078,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
}
} else {
/* Encoded-string-value */
- length = get_encoded_strval(tvb, offset, &strval);
+ length = get_encoded_strval(tvb, offset, &strval, pinfo);
if (tree) {
proto_tree_add_string(mmse_tree,
hf_mmse_retrieve_text, tvb, offset - 1,
@@ -1102,7 +1106,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
* Value-length(Absolute-token Date-value|
* Relative-token Delta-seconds-value)
*/
- length = get_value_length(tvb, offset, &count);
+ length = get_value_length(tvb, offset, &count, pinfo);
field = tvb_get_guint8(tvb, offset + count);
if (tree) {
guint tval;
@@ -1144,7 +1148,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
break;
case MM_PREV_SENT_BY_HDR:
/* Value-length Integer-value Encoded-string-value */
- length = get_value_length(tvb, offset, &count);
+ length = get_value_length(tvb, offset, &count, pinfo);
if (tree) {
guint32 fwd_count, count1, count2;
proto_tree *subtree = NULL;
@@ -1154,7 +1158,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
&count1);
/* 2. Encoded-string-value */
count2 = get_encoded_strval(tvb,
- offset + count + count1, &strval);
+ offset + count + count1, &strval, pinfo);
/* Now render the fields */
tii = proto_tree_add_string_format(mmse_tree,
hf_mmse_prev_sent_by,
@@ -1175,7 +1179,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
break;
case MM_PREV_SENT_DATE_HDR:
/* Value-Length Forwarded-count-value Date-value */
- length = get_value_length(tvb, offset, &count);
+ length = get_value_length(tvb, offset, &count, pinfo);
if (tree) {
guint32 fwd_count, count1, count2;
guint tval;
@@ -1242,7 +1246,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut,
if (peek == 0x1F) { /* Value length in guintvar */
guint length_len = 0;
length = 1 + tvb_get_guintvar(tvb, offset + 1,
- &length_len);
+ &length_len, pinfo, &ei_mmse_oversized_uintvar);
length += length_len;
} else { /* Value length in octet */
length = 1 + tvb_get_guint8(tvb, offset);
@@ -1647,13 +1651,22 @@ proto_register_mmse(void)
&ett_mmse_hdr_details,
};
- /* Register the protocol name and description */
+ static ei_register_info ei[] = {
+ { &ei_mmse_oversized_uintvar, { "mmse.oversized_uintvar", PI_MALFORMED, PI_ERROR, "Uintvar is oversized", EXPFILL }}
+ };
+
+ expert_module_t* expert_mmse;
+
+ /* Register the protocol name and description */
proto_mmse = proto_register_protocol("MMS Message Encapsulation",
"MMSE", "mmse");
/* Required function calls to register header fields and subtrees used */
proto_register_field_array(proto_mmse, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
+
+ expert_mmse = expert_register_protocol(proto_mmse);
+ expert_register_field_array(expert_mmse, ei, array_length(ei));
}
/* If this dissector uses sub-dissector registration add registration routine.
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-30 20:28:35 +0000