diff options
| author | wmeier <wmeier@f5534014-38df-0310-8fa8-9805f1628bb7> | 2009-08-10 21:07:15 +0000 |
|---|---|---|
| committer | wmeier <wmeier@f5534014-38df-0310-8fa8-9805f1628bb7> | 2009-08-10 21:07:15 +0000 |
| commit | 0b2eb7a95d07ae88e3c677162cc765ab546512bf (patch) | |
| tree | e2597f3b9a219789497cfc9f2622b79d1ac9d8aa /epan/dissectors/packet-pppoe.c | |
| parent | 5fe7951e316909a663687f369fd83cae4664c52c (diff) | |
Validate two tag field lengths before attempting to do proto_tree_add_item();
Fixes bug #3841.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@29371 f5534014-38df-0310-8fa8-9805f1628bb7
Diffstat (limited to 'epan/dissectors/packet-pppoe.c')
| -rw-r--r-- | epan/dissectors/packet-pppoe.c | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/epan/dissectors/packet-pppoe.c b/epan/dissectors/packet-pppoe.c index 7792e3e7dc..1c083422ce 100644 --- a/epan/dissectors/packet-pppoe.c +++ b/epan/dissectors/packet-pppoe.c @@ -208,6 +208,7 @@ dissect_pppoe_tags(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *tr proto_tree *pppoe_tree; proto_item *ti; + proto_item *pppoe_tree_tag_length_item; /* Start Decoding Here. */ if (tree) @@ -228,7 +229,8 @@ dissect_pppoe_tags(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *tr if (global_pppoe_show_tags_and_lengths) { proto_tree_add_item(pppoe_tree, hf_pppoed_tag, tvb, tagstart, 2, FALSE); - proto_tree_add_item(pppoe_tree, hf_pppoed_tag_length, tvb, tagstart+2, 2, FALSE); + pppoe_tree_tag_length_item = + proto_tree_add_item(pppoe_tree, hf_pppoed_tag_length, tvb, tagstart+2, 2, FALSE); } /* Show tag data */ @@ -347,12 +349,30 @@ dissect_pppoe_tags(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *tr } break; case PPPOE_TAG_SEQ_NUM: - proto_tree_add_item(pppoe_tree, hf_pppoed_tag_seq_num, tvb, - tagstart+4, poe_tag_length, FALSE); + if (poe_tag_length == 2) { + proto_tree_add_item(pppoe_tree, hf_pppoed_tag_seq_num, tvb, + tagstart+4, poe_tag_length, FALSE); + } else { + if (global_pppoe_show_tags_and_lengths) + proto_item_append_text(pppoe_tree_tag_length_item, " [Wrong: should be 2]"); + expert_add_info_format(pinfo, pppoe_tree, PI_MALFORMED, PI_WARN, + "Sequence Number tag: Wrong length: %d (expected 2)", + poe_tag_length); + return; /* we can do no more */ + } break; case PPPOE_TAG_CRED_SCALE: - proto_tree_add_item(pppoe_tree, hf_pppoed_tag_cred_scale, tvb, - tagstart+4, poe_tag_length, FALSE); + if (poe_tag_length == 2) { + proto_tree_add_item(pppoe_tree, hf_pppoed_tag_cred_scale, tvb, + tagstart+4, poe_tag_length, FALSE); + } else { + if (global_pppoe_show_tags_and_lengths) + proto_item_append_text(pppoe_tree_tag_length_item, " [Wrong: should be 2]"); + expert_add_info_format(pinfo, pppoe_tree, PI_MALFORMED, PI_WARN, + "Credit Scale Factor tag: Wrong length: %d (expected 2)", + poe_tag_length); + return; /* we can do no more */ + } break; case PPPOE_TAG_RELAY_ID: proto_tree_add_item(pppoe_tree, hf_pppoed_tag_relay_session_id, tvb, |