packet-slsk.c: Fix (many potential) SLSK long dissector loops

Bug: 13576 Change-Id: I9a0f6c6b682877ed7b5ce4b6b249d4aa4034096a Reviewed-on: https://code.wireshark.org/review/21020 Reviewed-by: Michael Mann <mmann78@netscape.net>
author: Michael Mann <mmann78@netscape.net> 2017-04-11 16:38:35 -0400
committer: Michael Mann <mmann78@netscape.net> 2017-04-11 23:23:59 +0000
commit: 9830eadad0d850aa3318120120f5ef5b2d66337b (patch)
tree: 7f88c42177294c4fab0cea00155e3416d7ded1c2 /epan/dissectors
parent: 0d040f699cb62e621709ede912ae0bf939e2daaf (diff)
1 files changed, 34 insertions, 0 deletions
diff --git a/epan/dissectors/packet-slsk.c b/epan/dissectors/packet-slsk.c
index 4847d063a2..5707d48a05 100644
--- a/epan/dissectors/packet-slsk.c
+++ b/epan/dissectors/packet-slsk.c
@@ -788,6 +788,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           i=0; j = tvb_get_letohl(tvb, offset);
           proto_tree_add_uint(slsk_tree, hf_slsk_users_in_room, tvb, offset, 4, tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
@@ -805,6 +807,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
             i=0; j = tvb_get_letohl(tvb, offset);
             proto_tree_add_uint(slsk_tree, hf_slsk_users_in_room, tvb, offset, 4, tvb_get_letohl(tvb, offset));
             offset += 4;
+            if (j > tvb_reported_length_remaining(tvb, offset))
+              break;
             while (i<j){
               if (check_slsk_format(tvb, offset, "i*")) {
                 proto_tree_add_uint_format(slsk_tree, hf_slsk_status_code, tvb, offset, 4, tvb_get_letohl(tvb, offset),
@@ -818,6 +822,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
             i=0; j = tvb_get_letohl(tvb, offset);
             proto_tree_add_uint(slsk_tree, hf_slsk_users_in_room, tvb, offset, 4, tvb_get_letohl(tvb, offset));
             offset += 4;
+            if (j > tvb_reported_length_remaining(tvb, offset))
+              break;
             while (i<j){
               if (check_slsk_format(tvb, offset, "iiiii*")) {
                 proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
@@ -844,6 +850,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
             proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
               "Number of Slotsfull Records: %d", tvb_get_letohl(tvb, offset));
             offset += 4;
+            if (j > tvb_reported_length_remaining(tvb, offset))
+              break;
             while (i<j){
               if (check_slsk_format(tvb, offset, "i*")) {
                 proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
@@ -1496,6 +1504,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Recommendations: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "si*")) {
               guint32 len;
@@ -1544,6 +1554,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Recommendations: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "si*")) {
               guint32 len;
@@ -1588,6 +1600,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Recommendations: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
@@ -1619,6 +1633,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_number_of_users, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Strings: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
@@ -1696,6 +1712,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           i=0; j = tvb_get_letohl(tvb, offset);
           proto_tree_add_uint(slsk_tree, hf_slsk_number_of_rooms, tvb, offset, 4, tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
@@ -1801,6 +1819,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           i=0; j = tvb_get_letohl(tvb, offset);
           proto_tree_add_uint(slsk_tree, hf_slsk_users_in_room, tvb, offset, 4, tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
@@ -1831,6 +1851,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
             i=0; j = tvb_get_letohl(tvb, offset);
             proto_tree_add_uint(slsk_tree, hf_slsk_users_in_room, tvb, offset, 4, tvb_get_letohl(tvb, offset));
             offset += 4;
+            if (j > tvb_reported_length_remaining(tvb, offset))
+              break;
             while (i<j){
               if (check_slsk_format(tvb, offset, "iiiii*")) {
                 proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
@@ -1857,6 +1879,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
             proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
               "Number of Slotsfull Records: %d", tvb_get_letohl(tvb, offset));
             offset += 4;
+            if (j > tvb_reported_length_remaining(tvb, offset))
+              break;
             while (i<j){
               if (check_slsk_format(tvb, offset, "i*")) {
                 proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
@@ -1910,6 +1934,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_number_of_users, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Privileged Users: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
@@ -2105,6 +2131,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_number_of_users, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Parent Addresses: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "sii*")) {
               guint32 len;
@@ -2171,6 +2199,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           i=0; j = tvb_get_letohl(tvb, offset);
           proto_tree_add_item(slsk_tree, hf_slsk_number_of_users, tvb, offset, 4, ENC_LITTLE_ENDIAN);
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "si*")) {
               guint32 len;
@@ -2215,6 +2245,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Recommendations: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "si*")) {
               guint32 len;
@@ -2259,6 +2291,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Recommendations: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
author	Michael Mann <mmann78@netscape.net>	2017-04-11 16:38:35 -0400
committer	Michael Mann <mmann78@netscape.net>	2017-04-11 23:23:59 +0000
commit	9830eadad0d850aa3318120120f5ef5b2d66337b (patch)
tree	7f88c42177294c4fab0cea00155e3416d7ded1c2 /epan/dissectors
parent	0d040f699cb62e621709ede912ae0bf939e2daaf (diff)