diff options
| author | Jiří Engelthaler <EngyCZ@gmail.com> | 2018-10-20 20:30:27 +0200 |
|---|---|---|
| committer | Michael Mann <mmann78@netscape.net> | 2018-10-21 18:30:37 +0000 |
| commit | b8b827522722b286f184d5c766badc6be9ce1d08 (patch) | |
| tree | 21afcc1c401f42f45dfc22969760bb1df2b92838 /plugins/epan | |
| parent | aed46e7eb1ac29704175eeeb6f8e69fb5b8a2e04 (diff) | |
opcua: add missing opcua_nested_count decrement
Nest testing was added in I5f6da3a3e269f6db1b690b77470ddf60045bcedd as
a reaction to CVE-2018-12086. In this changed there was only nest
increment without decrement.
Bug: 15226
Change-Id: I178fad4be1106c8da23351220c95c85274bddc30
Reviewed-on: https://code.wireshark.org/review/30285
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'plugins/epan')
| -rw-r--r-- | plugins/epan/opcua/opcua_simpletypes.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/plugins/epan/opcua/opcua_simpletypes.c b/plugins/epan/opcua/opcua_simpletypes.c index ab006b7552..32d0c591d3 100644 --- a/plugins/epan/opcua/opcua_simpletypes.c +++ b/plugins/epan/opcua/opcua_simpletypes.c @@ -814,11 +814,12 @@ void parseDiagnosticInfo(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gi /* prevent a too high nesting depth */ opcua_nested_count = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_opcua, 0)); - if (++opcua_nested_count > MAX_NESTING_DEPTH) + if (opcua_nested_count >= MAX_NESTING_DEPTH) { expert_add_info(pinfo, ti, &ei_nesting_depth); return; } + opcua_nested_count++; p_add_proto_data(pinfo->pool, pinfo, proto_opcua, 0, GUINT_TO_POINTER(opcua_nested_count)); /* parse encoding mask */ @@ -857,6 +858,9 @@ void parseDiagnosticInfo(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gi proto_item_set_end(ti, tvb, iOffset); *pOffset = iOffset; + + opcua_nested_count--; + p_add_proto_data(pinfo->pool, pinfo, proto_opcua, 0, GUINT_TO_POINTER(opcua_nested_count)); } void parseQualifiedName(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gint *pOffset, const char *szFieldName) @@ -932,11 +936,12 @@ void parseVariant(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gint *pOf /* prevent a too high nesting depth */ opcua_nested_count = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_opcua, 0)); - if (++opcua_nested_count > MAX_NESTING_DEPTH) + if (opcua_nested_count >= MAX_NESTING_DEPTH) { expert_add_info(pinfo, ti, &ei_nesting_depth); return; } + opcua_nested_count++; p_add_proto_data(pinfo->pool, pinfo, proto_opcua, 0, GUINT_TO_POINTER(opcua_nested_count)); EncodingMask = tvb_get_guint8(tvb, iOffset); @@ -1037,6 +1042,9 @@ void parseVariant(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gint *pOf proto_item_set_end(ti, tvb, iOffset); *pOffset = iOffset; + + opcua_nested_count--; + p_add_proto_data(pinfo->pool, pinfo, proto_opcua, 0, GUINT_TO_POINTER(opcua_nested_count)); } /** General parsing function for arrays of simple types. @@ -1200,11 +1208,12 @@ void parseExtensionObject(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, g /* prevent a too high nesting depth */ opcua_nested_count = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_opcua, 0)); - if (++opcua_nested_count > MAX_NESTING_DEPTH) + if (opcua_nested_count >= MAX_NESTING_DEPTH) { expert_add_info(pinfo, ti, &ei_nesting_depth); return; } + opcua_nested_count++; p_add_proto_data(pinfo->pool, pinfo, proto_opcua, 0, GUINT_TO_POINTER(opcua_nested_count)); /* add nodeid subtree */ @@ -1223,6 +1232,9 @@ void parseExtensionObject(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, g proto_item_set_end(ti, tvb, iOffset); *pOffset = iOffset; + + opcua_nested_count--; + p_add_proto_data(pinfo->pool, pinfo, proto_opcua, 0, GUINT_TO_POINTER(opcua_nested_count)); } void parseExpandedNodeId(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gint *pOffset, const char *szFieldName) |