X11: Handle GenericEvents longer than 32 bytes.

While X11 Events are generally fixed-length, GenericEvents extend the protocol to provide a length field, similar to Replies. As noted in the extension spec, if a GenericEvent longer than 32 bytes is sent to a client unable to process it, "future interpretation of replies and events by this client will fail." See https://www.x.org/releases/current/doc/xextproto/geproto.html This patch merely prevents that failure case. It does not attempt to meaningfully dissect the contents of such packets, which in any case will vary depending on the relevant X11 extension.
author: Chloe Pelling <cpelling@google.com> 2021-08-16 17:41:57 +1000
committer: Chloe Pelling <cpelling@google.com> 2021-08-16 23:06:36 +0000
commit: a2b17d3dbe77cd8ca220f93aeb542c023a797c60 (patch)
tree: ac7deccf33c3fab10fe23111eda2710b2b32fadb /epan/dissectors/packet-x11.c
parent: f5dc703259b398678effb11d9d55d0f017146053 (diff)
1 files changed, 19 insertions, 1 deletions
diff --git a/epan/dissectors/packet-x11.c b/epan/dissectors/packet-x11.c
index fc805db12a..a0a035e54a 100644
--- a/epan/dissectors/packet-x11.c
+++ b/epan/dissectors/packet-x11.c
@@ -5207,7 +5207,7 @@ dissect_x11_replies(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
              */
             if (x11_desegment && pinfo->can_desegment) {
                   /*
-                   * Yes - is the X11 reply header split across
+                   * Yes - is the X11 Reply or GenericEvent header split across
                    * segment boundaries?
                    */
                   if (length_remaining < 8) {
@@ -5282,6 +5282,24 @@ dissect_x11_replies(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
                               break;
                         }
 
+                        case GenericEvent:
+                        {
+                              /* An Event, but with a length field like a Reply. */
+
+                              /* To avoid an "assert w/side-effect" warning,
+                               * use a non-volatile temp variable instead. */
+                              int tmp_plen;
+
+                              /* GenericEvent's length is also in units of four. */
+                              tmp_plen = plen = 32 + tvb_get_guint32(tvb, offset + 4, byte_order) * 4;
+                              /* If tmp_plen < 32, we got an overflow;
+                               * the event length is too long. */
+                              THROW_ON(tmp_plen < 32, ReportedBoundsError);
+                              HANDLE_REPLY(plen, length_remaining,
+                                           "Event", dissect_x11_event);
+                              break;
+                        }
+
                         default:
                               /* Event */
                               plen = 32;
author	Chloe Pelling <cpelling@google.com>	2021-08-16 17:41:57 +1000
committer	Chloe Pelling <cpelling@google.com>	2021-08-16 23:06:36 +0000
commit	a2b17d3dbe77cd8ca220f93aeb542c023a797c60 (patch)
tree	ac7deccf33c3fab10fe23111eda2710b2b32fadb /epan/dissectors/packet-x11.c
parent	f5dc703259b398678effb11d9d55d0f017146053 (diff)