netlink: don't use -1 to mean "to end of packet".

Add dissect_netlink_attributes_to_end(), which takes no length argument,
and uses tvb_ensure_reported_length() to get the remaining length in the
packet.

In dissect_netlink_attributes_common(), treat negative lengths as if
they were a positive length >= 2^31, and throw a reported bounds error.

Also, throw a bounds error if there's more padding to a 4-byte boundary
than there is data in the packet.

At that point, we know the length is positive, so assign it to an
unsigned variable and use *that* in the loop.  Throw an error if the
attribute goes past the end of the packet (although we presumably would
have done that already).

(We really should eliminate all use of -1 as "to the end", and make
lengths unsigned.  We should also get rid of any places where we're
using negative offsets as offsets from the end of the packet - in the
few cases where you're dealing with trailers, you want to do that
carefully, so as not to throw an exception dissecting the trailer before
you get around to dissecting the rest of the packet - and make offsets
unsigned as well.)

1 files changed, 4 insertions, 4 deletions

diff --git a/epan/dissectors/packet-netlink-sock_diag.c b/epan/dissectors/packet-netlink-sock_diag.c
index 07a1dac07a..698c7ad652 100644
--- a/epan/dissectors/packet-netlink-sock_diag.c
+++ b/epan/dissectors/packet-netlink-sock_diag.c
@@ -448,7 +448,7 @@ dissect_sock_diag_unix_reply(tvbuff_t *tvb, netlink_sock_diag_info_t *info, stru
 	sock_diag_proto_tree_add_cookie(tree, info, nl_data, tvb, offset);
 	offset += 8;
 
-	return dissect_netlink_attributes(tvb, &hfi_netlink_sock_diag_unix_attr, ett_netlink_sock_diag_attr, info, nl_data, tree, offset, -1, dissect_netlink_unix_sock_diag_reply_attrs);
+	return dissect_netlink_attributes_to_end(tvb, &hfi_netlink_sock_diag_unix_attr, ett_netlink_sock_diag_attr, info, nl_data, tree, offset, dissect_netlink_unix_sock_diag_reply_attrs);
 }
 
 /* AF_UNIX request */
@@ -732,7 +732,7 @@ dissect_sock_diag_inet_reply(tvbuff_t *tvb, netlink_sock_diag_info_t *info, stru
 	proto_tree_add_item(tree, &hfi_netlink_sock_diag_inode, tvb, offset, 4, nl_data->encoding);
 	offset += 4;
 
-	return dissect_netlink_attributes(tvb, &hfi_netlink_sock_diag_inet_attr, ett_netlink_sock_diag_attr, info, nl_data, tree, offset, -1, dissect_sock_diag_inet_attributes);
+	return dissect_netlink_attributes_to_end(tvb, &hfi_netlink_sock_diag_inet_attr, ett_netlink_sock_diag_attr, info, nl_data, tree, offset, dissect_sock_diag_inet_attributes);
 }
 
 /* AF_INET request */
@@ -853,7 +853,7 @@ dissect_sock_diag_netlink_reply(tvbuff_t *tvb, netlink_sock_diag_info_t *info, s
 	sock_diag_proto_tree_add_cookie(tree, info, nl_data, tvb, offset);
 	offset += 8;
 
-	return dissect_netlink_attributes(tvb, &hfi_netlink_sock_diag_netlink_attr, ett_netlink_sock_diag_attr, info, nl_data, tree, offset, -1, dissect_sock_diag_netlink_attributes);
+	return dissect_netlink_attributes_to_end(tvb, &hfi_netlink_sock_diag_netlink_attr, ett_netlink_sock_diag_attr, info, nl_data, tree, offset, dissect_sock_diag_netlink_attributes);
 }
 
 /* AF_NETLINK request */
@@ -981,7 +981,7 @@ dissect_sock_diag_packet_reply(tvbuff_t *tvb, netlink_sock_diag_info_t *info, st
 	sock_diag_proto_tree_add_cookie(tree, info, nl_data, tvb, offset);
 	offset += 8;
 
-	return dissect_netlink_attributes(tvb, &hfi_netlink_sock_diag_packet_attr, ett_netlink_sock_diag_attr, info, nl_data, tree, offset, -1, dissect_netlink_packet_sock_diag_reply_attrs);
+	return dissect_netlink_attributes_to_end(tvb, &hfi_netlink_sock_diag_packet_attr, ett_netlink_sock_diag_attr, info, nl_data, tree, offset, dissect_netlink_packet_sock_diag_reply_attrs);
 }
 
 /* AF_PACKET request */