diff options
author | Ulf Lamping <ulf.lamping@web.de> | 2005-07-01 21:04:13 +0000 |
---|---|---|
committer | Ulf Lamping <ulf.lamping@web.de> | 2005-07-01 21:04:13 +0000 |
commit | 2ce8d2a30f519ad93ef8aaf2e29fcc96ab95c2dd (patch) | |
tree | c5e1bcc1278dd9072b28d40e266c7a3cae57830c /epan | |
parent | 22fff1e1f308ed3849c3dddd15eff189bb7326ea (diff) |
fixed various issues (two serious ones) found by "private" fuzz-testing
svn path=/trunk/; revision=14830
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-bssgp.c | 8 | ||||
-rw-r--r-- | epan/dissectors/packet-gsm_a.c | 2 | ||||
-rw-r--r-- | epan/dissectors/packet-isns.c | 6 | ||||
-rw-r--r-- | epan/dissectors/packet-smpp.c | 16 |
4 files changed, 31 insertions, 1 deletions
diff --git a/epan/dissectors/packet-bssgp.c b/epan/dissectors/packet-bssgp.c index 2e085f372b..38013c4c6b 100644 --- a/epan/dissectors/packet-bssgp.c +++ b/epan/dissectors/packet-bssgp.c @@ -1309,6 +1309,7 @@ decode_mobile_identity(bssgp_ie_t *ie, build_info_t *bi, int ie_start_offset) { case BSSGP_MOBILE_IDENTITY_TYPE_IMEISV: num_digits = 1 + (ie->value_length - 1) * 2; if (odd_even != ODD ) num_digits--; + if (num_digits > MAX_NUM_IMSI_DIGITS) THROW(ReportedBoundsError); i = 0; digits[i] = get_masked_guint8(data, BSSGP_MASK_LEFT_OCTET_HALF); @@ -5377,7 +5378,14 @@ decode_pdu_ran_information(build_info_t *bi) { decode_pdu_general(ies, 7, bi); while (tvb_length_remaining(bi->tvb, bi->offset) >= 4) { + guint32 org_offset = bi->offset; + decode_ie(&ies[7], bi); + + /* prevent an endless loop */ + if(org_offset == bi->offset) { + THROW(ReportedBoundsError); + } } } diff --git a/epan/dissectors/packet-gsm_a.c b/epan/dissectors/packet-gsm_a.c index e9e3b645ff..ba56e19350 100644 --- a/epan/dissectors/packet-gsm_a.c +++ b/epan/dissectors/packet-gsm_a.c @@ -16373,6 +16373,8 @@ dissect_dtap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) default: str = gsm_a_pd_str[pd]; + /* XXX - hf_idx is still -1! this is a bug in the implementation, and I don't know how to fix it so simple return here */ + return; break; } diff --git a/epan/dissectors/packet-isns.c b/epan/dissectors/packet-isns.c index fc41e4f75f..28700096e3 100644 --- a/epan/dissectors/packet-isns.c +++ b/epan/dissectors/packet-isns.c @@ -1121,6 +1121,8 @@ AddAttribute(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, guint offset, return (offset+8); } + tvb_ensure_bytes_exist(tvb, offset, len); + switch( tag ) { case ISNS_ATTR_TAG_DELIMITER: @@ -1133,9 +1135,11 @@ AddAttribute(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, guint offset, offset = dissect_isns_attr_integer(tvb, offset, tree, hf_isns_entity_protocol, tag, len, function_id); break; case ISNS_ATTR_TAG_MGMT_IP_ADDRESS: + if(len != 16) THROW(ReportedBoundsError); offset = dissect_isns_attr_ip_address(tvb, offset, tree, hf_isns_mgmt_ip_addr, tag, len); break; case ISNS_ATTR_TAG_TIMESTAMP: + if(len != 8) THROW(ReportedBoundsError); offset = dissect_isns_attr_integer(tvb, offset, tree, hf_isns_timestamp, tag, len, function_id); break; case ISNS_ATTR_TAG_PROTOCOL_VERSION_RANGE: @@ -1157,6 +1161,7 @@ AddAttribute(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, guint offset, offset = dissect_isns_attr_not_decoded_yet(tvb, offset, tree, hf_isns_not_decoded_yet, tag, len); break; case ISNS_ATTR_TAG_PORTAL_IP_ADDRESS: + if(len != 16) THROW(ReportedBoundsError); offset = dissect_isns_attr_ip_address(tvb, offset, tree, hf_isns_portal_ip_addr, tag, len); break; case ISNS_ATTR_TAG_PORTAL_PORT: @@ -1220,6 +1225,7 @@ AddAttribute(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, guint offset, offset = dissect_isns_attr_string(tvb, offset, tree, hf_isns_pg_iscsi_name, tag, len); break; case ISNS_ATTR_TAG_PG_PORTAL_IP_ADDR: + if(len != 16) THROW(ReportedBoundsError); offset = dissect_isns_attr_ip_address(tvb, offset, tree, hf_isns_pg_portal_ip_addr, tag, len); break; case ISNS_ATTR_TAG_PG_PORTAL_PORT: diff --git a/epan/dissectors/packet-smpp.c b/epan/dissectors/packet-smpp.c index ff7b3c8530..8d73dc120e 100644 --- a/epan/dissectors/packet-smpp.c +++ b/epan/dissectors/packet-smpp.c @@ -2389,7 +2389,21 @@ proto_register_smpp(void) HFILL } }, - { &hf_smpp_user_message_reference, + { &hf_smpp_source_subaddress, + { "Source Subaddress", "smpp.source_subaddress", + FT_STRING, BASE_NONE, NULL, 0x00, + "Source Subaddress", + HFILL + } + }, + { &hf_smpp_dest_subaddress, + { "Destination Subaddress", "smpp.dest_subaddress", + FT_STRING, BASE_NONE, NULL, 0x00, + "Destination Subaddress", + HFILL + } + }, + { &hf_smpp_user_message_reference, { "Message reference", "smpp.user_message_reference", FT_UINT16, BASE_HEX, NULL, 0x00, "Reference to the message, assigned by the user.", |