GTPv2: fix dissection of APN IE

The total maximum length of the APN with Network Identifier and Operator Identifier is 100 bytes. Bug: 15383 Change-Id: Ib74eac1f18f2235c2788e58370f50eeb9a678357 Reviewed-on: https://code.wireshark.org/review/31225 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Michael Mann <mmann78@netscape.net>
author: Pascal Quantin <pascal.quantin@gmail.com> 2018-12-28 10:38:44 +0100
committer: Michael Mann <mmann78@netscape.net> 2018-12-28 14:08:53 +0000
commit: 6180d0fdaa5e27de9fcddba7bd9d47adc0c71a42 (patch)
tree: 2680cf83d8b0a88ab92cd67d4b8569b415b97f93 /epan
parent: 4b3cd73de274a14004000ae6d33ac7067a017c81 (diff)
1 files changed, 29 insertions, 35 deletions
diff --git a/epan/dissectors/packet-gtpv2.c b/epan/dissectors/packet-gtpv2.c
index 6c7b4325d1..e935e27670 100644
--- a/epan/dissectors/packet-gtpv2.c
+++ b/epan/dissectors/packet-gtpv2.c
@@ -696,6 +696,7 @@ static expert_field ei_gtpv2_mbms_session_duration_days = EI_INIT;
 static expert_field ei_gtpv2_mbms_session_duration_secs = EI_INIT;
 static expert_field ei_gtpv2_ie = EI_INIT;
 static expert_field ei_gtpv2_int_size_not_handled = EI_INIT;
+static expert_field ei_gtpv2_apn_too_long = EI_INIT;
 
 /* Definition of User Location Info (AVP 22) masks */
 #define GTPv2_ULI_CGI_MASK              0x01
@@ -1990,21 +1991,20 @@ dissect_gtpv2_apn(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, proto
     int     name_len, tmp;
 
     if (length > 0) {
-        name_len = tvb_get_guint8(tvb, offset);
+        proto_item *pi;
 
-        if (name_len < 0x20) {
-            apn = tvb_get_string_enc(wmem_packet_scope(), tvb, offset + 1, length - 1, ENC_ASCII);
-            for (;;) {
-                if (name_len >= length - 1)
-                    break;
-                tmp = name_len;
-                name_len = name_len + apn[tmp] + 1;
-                apn[tmp] = '.';
-            }
-        } else{
-            apn = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, length, ENC_ASCII);
+        name_len = tvb_get_guint8(tvb, offset);
+        apn = tvb_get_string_enc(wmem_packet_scope(), tvb, offset + 1, length - 1, ENC_ASCII);
+        for (;;) {
+            if (name_len >= length - 1)
+                break;
+            tmp = name_len;
+            name_len = name_len + apn[tmp] + 1;
+            apn[tmp] = '.';
         }
-        proto_tree_add_string(tree, hf_gtpv2_apn, tvb, offset, length, apn);
+        pi = proto_tree_add_string(tree, hf_gtpv2_apn, tvb, offset, length, apn);
+        if (length > 100)
+            expert_add_info(pinfo, pi, &ei_gtpv2_apn_too_long);
     }
 
     if (apn)
@@ -6771,29 +6771,22 @@ dissect_gtpv2_apn_and_relative_capacity(tvbuff_t *tvb, packet_info *pinfo _U_, p
     proto_tree_add_item(tree, hf_gtpv2_apn_length, tvb, offset, 1, ENC_BIG_ENDIAN);
     offset += 1;
 
-    if (apn_length > 0)
-        {
-        name_len = tvb_get_guint8(tvb, offset);
+    if (apn_length > 0) {
+        proto_item *pi;
 
-        if (name_len < 0x20)
-            {
-            apn = tvb_get_string_enc(wmem_packet_scope(), tvb, offset + 1, apn_length - 1, ENC_ASCII);
-            for (;;)
-                {
-                if (name_len >= apn_length - 1)
-                    break;
-                tmp = name_len;
-                name_len = name_len + apn[tmp] + 1;
-                apn[tmp] = '.';
-                }
-            }
-        else
-            {
-            apn = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, apn_length, ENC_ASCII);
-            }
-        proto_tree_add_string(tree, hf_gtpv2_apn, tvb, offset, apn_length, apn);
+        name_len = tvb_get_guint8(tvb, offset);
+        apn = tvb_get_string_enc(wmem_packet_scope(), tvb, offset + 1, apn_length - 1, ENC_ASCII);
+        for (;;) {
+            if (name_len >= apn_length - 1)
+                break;
+            tmp = name_len;
+            name_len = name_len + apn[tmp] + 1;
+            apn[tmp] = '.';
         }
-
+        pi = proto_tree_add_string(tree, hf_gtpv2_apn, tvb, offset, apn_length, apn);
+        if (apn_length > 100)
+            expert_add_info(pinfo, pi, &ei_gtpv2_apn_too_long);
+    }
 }
 /*
  * 8.117        Paging and Service Information
@@ -10217,7 +10210,8 @@ void proto_register_gtpv2(void)
         { &ei_gtpv2_mbms_session_duration_days, { "gtpv2.mbms_session_duration_days.invalid", PI_PROTOCOL, PI_WARN, "Days out of allowed range", EXPFILL }},
         { &ei_gtpv2_mbms_session_duration_secs, { "gtpv2.mbms_session_duration_secs.unknown", PI_PROTOCOL, PI_WARN, "Seconds out of allowed range", EXPFILL }},
         { &ei_gtpv2_ie, { "gtpv2.ie_type.reserved", PI_PROTOCOL, PI_WARN, "IE type Zero is Reserved and should not be used", EXPFILL }},
-        { &ei_gtpv2_int_size_not_handled,{ "gtpv2.ie_type.int_size_not_handled", PI_PROTOCOL, PI_WARN, "Integer size not handled yet", EXPFILL } },
+        { &ei_gtpv2_int_size_not_handled, { "gtpv2.ie_type.int_size_not_handled", PI_PROTOCOL, PI_WARN, "Integer size not handled yet", EXPFILL } },
+        { &ei_gtpv2_apn_too_long, { "gtpv2.apn_too_long", PI_PROTOCOL, PI_WARN, "APN encoding has more than 100 octets", EXPFILL } },
     };
 
     expert_module_t* expert_gtpv2;
author	Pascal Quantin <pascal.quantin@gmail.com>	2018-12-28 10:38:44 +0100
committer	Michael Mann <mmann78@netscape.net>	2018-12-28 14:08:53 +0000
commit	6180d0fdaa5e27de9fcddba7bd9d47adc0c71a42 (patch)
tree	2680cf83d8b0a88ab92cd67d4b8569b415b97f93 /epan
parent	4b3cd73de274a14004000ae6d33ac7067a017c81 (diff)