fixed various issues (two serious ones) found by "private" fuzz-testing

svn path=/trunk/; revision=14830
author: Ulf Lamping <ulf.lamping@web.de> 2005-07-01 21:04:13 +0000
committer: Ulf Lamping <ulf.lamping@web.de> 2005-07-01 21:04:13 +0000
commit: 2ce8d2a30f519ad93ef8aaf2e29fcc96ab95c2dd (patch)
tree: c5e1bcc1278dd9072b28d40e266c7a3cae57830c /epan
parent: 22fff1e1f308ed3849c3dddd15eff189bb7326ea (diff)
4 files changed, 31 insertions, 1 deletions
diff --git a/epan/dissectors/packet-bssgp.c b/epan/dissectors/packet-bssgp.c
index 2e085f372b..38013c4c6b 100644
--- a/epan/dissectors/packet-bssgp.c
+++ b/epan/dissectors/packet-bssgp.c
@@ -1309,6 +1309,7 @@ decode_mobile_identity(bssgp_ie_t *ie, build_info_t *bi, int ie_start_offset) {
   case BSSGP_MOBILE_IDENTITY_TYPE_IMEISV:
     num_digits = 1 + (ie->value_length - 1) * 2;
     if (odd_even != ODD ) num_digits--;
+    if (num_digits > MAX_NUM_IMSI_DIGITS) THROW(ReportedBoundsError);
 
     i = 0;
     digits[i] = get_masked_guint8(data, BSSGP_MASK_LEFT_OCTET_HALF);
@@ -5377,7 +5378,14 @@ decode_pdu_ran_information(build_info_t *bi) {
   decode_pdu_general(ies, 7, bi);
 
   while (tvb_length_remaining(bi->tvb, bi->offset) >= 4) {
+    guint32 org_offset = bi->offset;
+
     decode_ie(&ies[7], bi);
+
+    /* prevent an endless loop */
+    if(org_offset == bi->offset) {
+        THROW(ReportedBoundsError);
+    }
   }
 }
 
diff --git a/epan/dissectors/packet-gsm_a.c b/epan/dissectors/packet-gsm_a.c
index e9e3b645ff..ba56e19350 100644
--- a/epan/dissectors/packet-gsm_a.c
+++ b/epan/dissectors/packet-gsm_a.c
@@ -16373,6 +16373,8 @@ dissect_dtap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 
     default:
 	str = gsm_a_pd_str[pd];
+    /* XXX - hf_idx is still -1! this is a bug in the implementation, and I don't know how to fix it so simple return here */
+    return;
 	break;
     }
 
diff --git a/epan/dissectors/packet-isns.c b/epan/dissectors/packet-isns.c
index fc41e4f75f..28700096e3 100644
--- a/epan/dissectors/packet-isns.c
+++ b/epan/dissectors/packet-isns.c
@@ -1121,6 +1121,8 @@ AddAttribute(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, guint offset,
         return (offset+8);
     }
     
+    tvb_ensure_bytes_exist(tvb, offset, len);
+
     switch( tag )
     {
     case ISNS_ATTR_TAG_DELIMITER:
@@ -1133,9 +1135,11 @@ AddAttribute(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, guint offset,
 	offset = dissect_isns_attr_integer(tvb, offset, tree, hf_isns_entity_protocol, tag, len, function_id);
 	break;
     case ISNS_ATTR_TAG_MGMT_IP_ADDRESS:
+    if(len != 16) THROW(ReportedBoundsError);
 	offset = dissect_isns_attr_ip_address(tvb, offset, tree, hf_isns_mgmt_ip_addr, tag, len);
 	break;
     case ISNS_ATTR_TAG_TIMESTAMP:
+    if(len != 8) THROW(ReportedBoundsError);
 	offset = dissect_isns_attr_integer(tvb, offset, tree, hf_isns_timestamp, tag, len, function_id);
 	break;
     case ISNS_ATTR_TAG_PROTOCOL_VERSION_RANGE:
@@ -1157,6 +1161,7 @@ AddAttribute(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, guint offset,
 	offset = dissect_isns_attr_not_decoded_yet(tvb, offset, tree, hf_isns_not_decoded_yet, tag, len);
 	break;
     case ISNS_ATTR_TAG_PORTAL_IP_ADDRESS:
+    if(len != 16) THROW(ReportedBoundsError);
 	offset = dissect_isns_attr_ip_address(tvb, offset, tree, hf_isns_portal_ip_addr, tag, len);
 	break;
     case ISNS_ATTR_TAG_PORTAL_PORT:
@@ -1220,6 +1225,7 @@ AddAttribute(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, guint offset,
 	offset = dissect_isns_attr_string(tvb, offset, tree, hf_isns_pg_iscsi_name, tag, len);
 	break;
     case ISNS_ATTR_TAG_PG_PORTAL_IP_ADDR:
+    if(len != 16) THROW(ReportedBoundsError);
 	offset = dissect_isns_attr_ip_address(tvb, offset, tree, hf_isns_pg_portal_ip_addr, tag, len);
 	break;
     case ISNS_ATTR_TAG_PG_PORTAL_PORT:
diff --git a/epan/dissectors/packet-smpp.c b/epan/dissectors/packet-smpp.c
index ff7b3c8530..8d73dc120e 100644
--- a/epan/dissectors/packet-smpp.c
+++ b/epan/dissectors/packet-smpp.c
@@ -2389,7 +2389,21 @@ proto_register_smpp(void)
 		HFILL
 	    }
 	},
-	{   &hf_smpp_user_message_reference,
+    {   &hf_smpp_source_subaddress,
+	    {   "Source Subaddress", "smpp.source_subaddress",
+		FT_STRING, BASE_NONE, NULL, 0x00,
+		"Source Subaddress",
+		HFILL
+	    }
+	},
+    {   &hf_smpp_dest_subaddress,
+	    {   "Destination Subaddress", "smpp.dest_subaddress",
+		FT_STRING, BASE_NONE, NULL, 0x00,
+		"Destination Subaddress",
+		HFILL
+	    }
+	},
+    {   &hf_smpp_user_message_reference,
 	    {   "Message reference", "smpp.user_message_reference",
 		FT_UINT16, BASE_HEX, NULL, 0x00,
 		"Reference to the message, assigned by the user.",
author	Ulf Lamping <ulf.lamping@web.de>	2005-07-01 21:04:13 +0000
committer	Ulf Lamping <ulf.lamping@web.de>	2005-07-01 21:04:13 +0000
commit	2ce8d2a30f519ad93ef8aaf2e29fcc96ab95c2dd (patch)
tree	c5e1bcc1278dd9072b28d40e266c7a3cae57830c /epan
parent	22fff1e1f308ed3849c3dddd15eff189bb7326ea (diff)