diff options
author | Anders Broman <anders.broman@ericsson.com> | 2012-12-03 13:55:03 +0000 |
---|---|---|
committer | Anders Broman <anders.broman@ericsson.com> | 2012-12-03 13:55:03 +0000 |
commit | a07cfc3b5025b44a86e53aceffc04ae80f34b80e (patch) | |
tree | ed1fbb595a371bddce3ce473a2d7bdfdbc5501bf /epan | |
parent | e23327c0bb81a45b86943bfe35fbcbf297a1c160 (diff) |
Protect against malformed crypto-suite parameters.
Fixes SDP infinite loop.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8041
svn path=/trunk/; revision=46344
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-sdp.c | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/epan/dissectors/packet-sdp.c b/epan/dissectors/packet-sdp.c index ca3b739f8f..267e02593d 100644 --- a/epan/dissectors/packet-sdp.c +++ b/epan/dissectors/packet-sdp.c @@ -1839,6 +1839,10 @@ static void dissect_sdp_media_attribute(tvbuff_t *tvb, packet_info *pinfo, proto /* We are at the first colon */ /* tag */ next_offset = tvb_find_guint8(tvb, offset, -1, ' '); + if(next_offset==-1){ + /* XXX Add expert item? */ + return; + } tokenlen = next_offset - offset; proto_tree_add_uint(sdp_media_attribute_tree, hf_sdp_crypto_tag, tvb, offset, tokenlen, atoi((char*)tvb_get_ephemeral_string(tvb, offset, tokenlen))); @@ -1846,6 +1850,10 @@ static void dissect_sdp_media_attribute(tvbuff_t *tvb, packet_info *pinfo, proto /* crypto-suite */ next_offset = tvb_find_guint8(tvb, offset, -1, ' '); + if(next_offset==-1){ + /* XXX Add expert item? */ + return; + } tokenlen = next_offset - offset; proto_tree_add_item(sdp_media_attribute_tree, hf_sdp_crypto_crypto_suite, tvb, offset, tokenlen, ENC_ASCII|ENC_NA); @@ -1894,10 +1902,6 @@ static void dissect_sdp_media_attribute(tvbuff_t *tvb, packet_info *pinfo, proto has_more_pars = FALSE; param_end_offset = tvb_length(tvb); } - parameter_item = proto_tree_add_text(sdp_media_attribute_tree, - tvb, offset, param_end_offset-offset, "Key parameters"); - parameter_tree = proto_item_add_subtree(parameter_item, ett_sdp_crypto_key_parameters); - /* key-method or key-method-ext */ next_offset = tvb_find_guint8(tvb, offset, -1, ':'); if (next_offset == -1) { @@ -1905,7 +1909,11 @@ static void dissect_sdp_media_attribute(tvbuff_t *tvb, packet_info *pinfo, proto "Invalid key-param (no ':' delimiter)"); break; } + if (tvb_strncaseeql(tvb, offset, "inline", next_offset-offset) == 0) { + parameter_item = proto_tree_add_text(sdp_media_attribute_tree, + tvb, offset, param_end_offset-offset, "Key parameters"); + parameter_tree = proto_item_add_subtree(parameter_item, ett_sdp_crypto_key_parameters); /* XXX only for SRTP? */ /* srtp-key-info = key-salt ["|" lifetime] ["|" mki] */ offset = next_offset +1; @@ -1971,10 +1979,7 @@ static void dissect_sdp_media_attribute(tvbuff_t *tvb, packet_info *pinfo, proto } offset = param_end_offset; } else { - tokenlen = param_end_offset - next_offset + 1; - proto_tree_add_text(parameter_tree, tvb, next_offset + 1, tokenlen, - "%s", tvb_get_ephemeral_string(tvb, next_offset + 1, tokenlen)); - offset = param_end_offset; + break; } } |