diff options
| author | Stig Bjørlykke <stig@bjorlykke.org> | 2018-01-09 15:27:46 +0100 |
|---|---|---|
| committer | Gerald Combs <gerald@wireshark.org> | 2018-01-09 16:21:36 +0000 |
| commit | c51560985a43592a79c29baba4f79f399a8e15dd (patch) | |
| tree | dabd1f665655a9b6f0e7f63fae5b5c8b1ac6a196 /epan/tvbparse.c | |
| parent | d769b7cb7ae203b784a4f440d93624bb5c6bae81 (diff) | |
Fix tvbparse recursion limit check.
When doing recursion check we must also count down when done.
Bug: 14253
Change-Id: Icacc86e8b25e106e151117dbcc2f132b1bbe898e
Reviewed-on: https://code.wireshark.org/review/25226
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Diffstat (limited to 'epan/tvbparse.c')
| -rw-r--r-- | epan/tvbparse.c | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/epan/tvbparse.c b/epan/tvbparse.c index cc9cbcf46f..d9d2349840 100644 --- a/epan/tvbparse.c +++ b/epan/tvbparse.c @@ -431,10 +431,12 @@ static int cond_one_of(tvbparse_t* tt, const int offset, const tvbparse_wanted_t #ifdef TVBPARSE_DEBUG if (TVBPARSE_DEBUG & TVBPARSE_DEBUG_ONEOF) ws_g_warning("cond_one_of: GOT len=%i",curr_len); #endif + tt->recursion_depth--; return curr_len; } } + tt->recursion_depth--; return -1; } @@ -496,8 +498,10 @@ static int cond_hash(tvbparse_t* tt, const int offset, const tvbparse_wanted_t* key_len = wanted->control.hash.key->condition(tt, offset, wanted->control.hash.key, &key_elem); - if (key_len < 0) + if (key_len < 0) { + tt->recursion_depth--; return -1; + } key = tvb_get_string_enc(wmem_packet_scope(),key_elem->tvb,key_elem->offset,key_elem->len, ENC_ASCII); #ifdef TVBPARSE_DEBUG @@ -508,12 +512,17 @@ static int cond_hash(tvbparse_t* tt, const int offset, const tvbparse_wanted_t* value_len = value_wanted->condition(tt, offset + key_len, value_wanted, &value_elem); } else if (wanted->control.hash.other) { value_len = wanted->control.hash.other->condition(tt, offset+key_len, wanted->control.hash.other, &value_elem); - if (value_len < 0) + if (value_len < 0) { + tt->recursion_depth--; return -1; + } } else { + tt->recursion_depth--; return -1; } + tt->recursion_depth--; + tot_len = key_len + value_len; ret_tok = new_tok(tt, value_elem->id, offset, tot_len, wanted); @@ -596,9 +605,10 @@ static int cond_seq(tvbparse_t* tt, int offset, const tvbparse_wanted_t * wanted tvbparse_wanted_t* w = (tvbparse_wanted_t *)g_ptr_array_index(wanted->control.elems,i); tvbparse_elem_t* new_elem = NULL; - if ( offset + w->len > tt->end_offset ) + if ( offset + w->len > tt->end_offset ) { + tt->recursion_depth--; return -1; - + } len = w->condition(tt, offset, w, &new_elem); @@ -614,6 +624,7 @@ static int cond_seq(tvbparse_t* tt, int offset, const tvbparse_wanted_t * wanted new_elem->last = new_elem; } } else { + tt->recursion_depth--; return -1; } @@ -621,6 +632,8 @@ static int cond_seq(tvbparse_t* tt, int offset, const tvbparse_wanted_t * wanted offset += ignore_fcn(tt,offset); } + tt->recursion_depth--; + *tok = ret_tok; #ifdef TVBPARSE_DEBUG @@ -680,8 +693,10 @@ static int cond_some(tvbparse_t* tt, int offset, const tvbparse_wanted_t * wante tvbparse_elem_t* new_elem = NULL; int consumed; - if ( offset > tt->end_offset ) + if ( offset > tt->end_offset ) { + tt->recursion_depth--; return -1; + } consumed = wanted->control.subelem->condition(tt, offset, wanted->control.subelem, &new_elem); @@ -708,6 +723,8 @@ static int cond_some(tvbparse_t* tt, int offset, const tvbparse_wanted_t * wante got_so_far++; } + tt->recursion_depth--; + #ifdef TVBPARSE_DEBUG if (TVBPARSE_DEBUG & TVBPARSE_DEBUG_SOME) ws_g_warning("cond_some: got num=%u",got_so_far); #endif @@ -766,6 +783,8 @@ static int cond_until(tvbparse_t* tt, const int offset, const tvbparse_wanted_t len = wanted->control.until.subelem->condition(tt, target_offset++, wanted->control.until.subelem, &new_elem); } while(len < 0 && target_offset+1 < tt->end_offset); + tt->recursion_depth--; + if (len >= 0) { new_elem->id = wanted->id; |