diff options
author | Chloe Pelling <cpelling@google.com> | 2021-08-16 17:41:57 +1000 |
---|---|---|
committer | Chloe Pelling <cpelling@google.com> | 2021-08-16 23:06:36 +0000 |
commit | a2b17d3dbe77cd8ca220f93aeb542c023a797c60 (patch) | |
tree | ac7deccf33c3fab10fe23111eda2710b2b32fadb /epan/dissectors/packet-x11.c | |
parent | f5dc703259b398678effb11d9d55d0f017146053 (diff) |
X11: Handle GenericEvents longer than 32 bytes.
While X11 Events are generally fixed-length, GenericEvents extend the protocol
to provide a length field, similar to Replies. As noted in the extension spec,
if a GenericEvent longer than 32 bytes is sent to a client unable to process it,
"future interpretation of replies and events by this client will fail." See
https://www.x.org/releases/current/doc/xextproto/geproto.html
This patch merely prevents that failure case. It does not attempt to
meaningfully dissect the contents of such packets, which in any case will vary
depending on the relevant X11 extension.
Diffstat (limited to 'epan/dissectors/packet-x11.c')
-rw-r--r-- | epan/dissectors/packet-x11.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/epan/dissectors/packet-x11.c b/epan/dissectors/packet-x11.c index fc805db12a..a0a035e54a 100644 --- a/epan/dissectors/packet-x11.c +++ b/epan/dissectors/packet-x11.c @@ -5207,7 +5207,7 @@ dissect_x11_replies(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) */ if (x11_desegment && pinfo->can_desegment) { /* - * Yes - is the X11 reply header split across + * Yes - is the X11 Reply or GenericEvent header split across * segment boundaries? */ if (length_remaining < 8) { @@ -5282,6 +5282,24 @@ dissect_x11_replies(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) break; } + case GenericEvent: + { + /* An Event, but with a length field like a Reply. */ + + /* To avoid an "assert w/side-effect" warning, + * use a non-volatile temp variable instead. */ + int tmp_plen; + + /* GenericEvent's length is also in units of four. */ + tmp_plen = plen = 32 + tvb_get_guint32(tvb, offset + 4, byte_order) * 4; + /* If tmp_plen < 32, we got an overflow; + * the event length is too long. */ + THROW_ON(tmp_plen < 32, ReportedBoundsError); + HANDLE_REPLY(plen, length_remaining, + "Event", dissect_x11_event); + break; + } + default: /* Event */ plen = 32; |