RANAP: prevent heuristic dissector from adding info to tree or triggering exception

Bug: 13770 Change-Id: I6ba5dfb5098ea1a4d4d1e2d740382326c7d58f8c Reviewed-on: https://code.wireshark.org/review/22006 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Ivan Nardi <nardi.ivan@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
author: Pascal Quantin <pascal.quantin@gmail.com> 2017-06-07 14:18:52 +0200
committer: Pascal Quantin <pascal.quantin@gmail.com> 2017-06-07 14:21:21 +0000
commit: e82fa761d671fd4e1c6cdeccd57473fb18982e87 (patch)
tree: d71a6009e88414818dbcb7ac92f2995d2dc63cf3 /epan
parent: 5598faa3429b36a904e3ebc4cb5cd20f94a2b3ab (diff)
2 files changed, 33 insertions, 15 deletions
diff --git a/epan/dissectors/asn1/ranap/packet-ranap-template.c b/epan/dissectors/asn1/ranap/packet-ranap-template.c
index 6dcc0b92de..ef7c2d7de0 100644
--- a/epan/dissectors/asn1/ranap/packet-ranap-template.c
+++ b/epan/dissectors/asn1/ranap/packet-ranap-template.c
@@ -267,12 +267,9 @@ dissect_sccp_ranap_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
 {
   guint8 temp;
   guint16 word;
-  asn1_ctx_t asn1_ctx;
   guint length;
   int offset;
 
-  asn1_ctx_init(&asn1_ctx, ASN1_ENC_PER, TRUE, pinfo);
-
   /* Is it a ranap packet?
    *
    * 4th octet should be the length of the rest of the message.
@@ -285,9 +282,21 @@ dissect_sccp_ranap_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
   #define LENGTH_OFFSET 3
   #define MSG_TYPE_OFFSET 1
   if (tvb_captured_length(tvb) < RANAP_MSG_MIN_LENGTH) { return FALSE; }
-  /* Read the length NOTE offset in bits */
-  offset = dissect_per_length_determinant(tvb, LENGTH_OFFSET<<3, &asn1_ctx, tree, -1, &length, NULL);
-  offset = offset>>3;
+  /* compute aligned PER length determinant without calling dissect_per_length_determinant()
+     to avoid exceptions and info added to tree, info column and expert info */
+  offset = LENGTH_OFFSET;
+  length = tvb_get_guint8(tvb, offset);
+  offset += 1;
+  if ((length & 0x80) == 0x80) {
+    if ((length & 0xc0) == 0x80) {
+      length &= 0x3f;
+      length <<= 8;
+      length += tvb_get_guint8(tvb, offset);
+      offset += 1;
+    } else {
+      length = 0;
+    }
+  }
   if (length!= (tvb_reported_length(tvb) - offset)){
     return FALSE;
   }
diff --git a/epan/dissectors/packet-ranap.c b/epan/dissectors/packet-ranap.c
index d08383b008..c6d594e26a 100644
--- a/epan/dissectors/packet-ranap.c
+++ b/epan/dissectors/packet-ranap.c
@@ -14987,12 +14987,9 @@ dissect_sccp_ranap_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
 {
   guint8 temp;
   guint16 word;
-  asn1_ctx_t asn1_ctx;
   guint length;
   int offset;
 
-  asn1_ctx_init(&asn1_ctx, ASN1_ENC_PER, TRUE, pinfo);
-
   /* Is it a ranap packet?
    *
    * 4th octet should be the length of the rest of the message.
@@ -15005,9 +15002,21 @@ dissect_sccp_ranap_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
   #define LENGTH_OFFSET 3
   #define MSG_TYPE_OFFSET 1
   if (tvb_captured_length(tvb) < RANAP_MSG_MIN_LENGTH) { return FALSE; }
-  /* Read the length NOTE offset in bits */
-  offset = dissect_per_length_determinant(tvb, LENGTH_OFFSET<<3, &asn1_ctx, tree, -1, &length, NULL);
-  offset = offset>>3;
+  /* compute PER aligned length determinant without calling dissect_per_length_determinant()
+     to avoid exceptions and info added to tree, info column and expert info */
+  offset = LENGTH_OFFSET;
+  length = tvb_get_guint8(tvb, offset);
+  offset += 1;
+  if ((length & 0x80) == 0x80) {
+    if ((length & 0xc0) == 0x80) {
+      length &= 0x3f;
+      length <<= 8;
+      length += tvb_get_guint8(tvb, offset);
+      offset += 1;
+    } else {
+      length = 0;
+    }
+  }
   if (length!= (tvb_reported_length(tvb) - offset)){
     return FALSE;
   }
@@ -18217,7 +18226,7 @@ void proto_register_ranap(void) {
         NULL, HFILL }},
 
 /*--- End of included file: packet-ranap-hfarr.c ---*/
-#line 332 "./asn1/ranap/packet-ranap-template.c"
+#line 341 "./asn1/ranap/packet-ranap-template.c"
   };
 
   /* List of subtrees */
@@ -18581,7 +18590,7 @@ void proto_register_ranap(void) {
     &ett_ranap_Outcome,
 
 /*--- End of included file: packet-ranap-ettarr.c ---*/
-#line 340 "./asn1/ranap/packet-ranap-template.c"
+#line 349 "./asn1/ranap/packet-ranap-template.c"
   };
 
 
@@ -19008,7 +19017,7 @@ proto_reg_handoff_ranap(void)
 
 
 /*--- End of included file: packet-ranap-dis-tab.c ---*/
-#line 389 "./asn1/ranap/packet-ranap-template.c"
+#line 398 "./asn1/ranap/packet-ranap-template.c"
   } else {
     dissector_delete_uint("sccp.ssn", local_ranap_sccp_ssn, ranap_handle);
   }
author	Pascal Quantin <pascal.quantin@gmail.com>	2017-06-07 14:18:52 +0200
committer	Pascal Quantin <pascal.quantin@gmail.com>	2017-06-07 14:21:21 +0000
commit	e82fa761d671fd4e1c6cdeccd57473fb18982e87 (patch)
tree	d71a6009e88414818dbcb7ac92f2995d2dc63cf3 /epan
parent	5598faa3429b36a904e3ebc4cb5cd20f94a2b3ab (diff)