diff options
| author | Michael Mann <mmann78@netscape.net> | 2016-07-09 09:05:12 -0400 |
|---|---|---|
| committer | Michael Mann <mmann78@netscape.net> | 2016-07-09 14:17:34 +0000 |
| commit | a9d5256890c9189c7461bfce6ed6edce5d861499 (patch) | |
| tree | ac8fc3f2f09dd89745cf320872d8c53dd82f426b /epan/dissectors/packet-wsp.c | |
| parent | 8e1cc70fd57e958ef5f062f1a6367d85ebc9fed1 (diff) | |
packet-wsp.c: Fix infinite loop in add_headers
Bug: 12594
Change-Id: Id86d1e5f2db12871bc1b345721e79e57192f01e1
Reviewed-on: https://code.wireshark.org/review/16355
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/dissectors/packet-wsp.c')
| -rw-r--r-- | epan/dissectors/packet-wsp.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/epan/dissectors/packet-wsp.c b/epan/dissectors/packet-wsp.c index 32f6171b44..2b2b18922a 100644 --- a/epan/dissectors/packet-wsp.c +++ b/epan/dissectors/packet-wsp.c @@ -379,6 +379,7 @@ static expert_field ei_wsp_invalid_parameter_value = EI_INIT; static expert_field ei_wsp_undecoded_parameter = EI_INIT; static expert_field ei_hdr_x_wap_tod = EI_INIT; static expert_field ei_wsp_trailing_quote = EI_INIT; +static expert_field ei_wsp_header_invalid = EI_INIT; /* Handle for WSP-over-UDP dissector */ @@ -4378,6 +4379,7 @@ add_headers (proto_tree *tree, tvbuff_t *tvb, int hf, packet_info *pinfo) guint8 hdr_id, val_id, codepage = 1; gint32 tvb_len = tvb_reported_length(tvb); gint32 offset = 0; + gint32 save_offset; gint32 hdr_len, hdr_start; gint32 val_len, val_start; gchar *hdr_str, *val_str; @@ -4401,13 +4403,25 @@ add_headers (proto_tree *tree, tvbuff_t *tvb, int hf, packet_info *pinfo) hdr_len = 1; /* Call header value dissector for given header */ if (codepage == 1) { /* Default header code page */ + save_offset = offset; offset = WellKnownHeader[hdr_id & 0x7F](wsp_headers, tvb, hdr_start, pinfo); + /* Make sure we're progressing forward */ + if (save_offset <= offset) { + expert_add_info(pinfo, ti, &ei_wsp_header_invalid); + break; + } } else { /* Openwave header code page */ /* Here I'm delibarately assuming that Openwave is the only * company that defines a WSP header code page. */ + save_offset = offset; offset = WellKnownOpenwaveHeader[hdr_id & 0x7F](wsp_headers, tvb, hdr_start, pinfo); + /* Make sure we're progressing forward */ + if (save_offset <= offset) { + expert_add_info(pinfo, ti, &ei_wsp_header_invalid); + break; + } } } else if (hdr_id == 0x7F) { /* HCP shift sequence */ codepage = tvb_get_guint8(tvb, offset+1); @@ -7142,6 +7156,7 @@ proto_register_wsp(void) { &ei_hdr_x_wap_tod, { "wsp.header.x_wap_tod.not_text", PI_PROTOCOL, PI_WARN, "Should be encoded as a textual value", EXPFILL }}, { &ei_wsp_undecoded_parameter, { "wsp.undecoded_parameter", PI_UNDECODED, PI_WARN, "Invalid parameter value", EXPFILL }}, { &ei_wsp_trailing_quote, { "wsp.trailing_quote", PI_PROTOCOL, PI_WARN, "Quoted-string value has been encoded with a trailing quote", EXPFILL }}, + { &ei_wsp_header_invalid, { "wsp.header_invalid", PI_MALFORMED, PI_ERROR, "Malformed header", EXPFILL }}, }; expert_module_t* expert_wsp; |