From 9830eadad0d850aa3318120120f5ef5b2d66337b Mon Sep 17 00:00:00 2001
From: Michael Mann <mmann78@netscape.net>
Date: Tue, 11 Apr 2017 16:38:35 -0400
Subject: packet-slsk.c: Fix (many potential) SLSK long dissector loops

Bug: 13576
Change-Id: I9a0f6c6b682877ed7b5ce4b6b249d4aa4034096a
Reviewed-on: https://code.wireshark.org/review/21020
Reviewed-by: Michael Mann <mmann78@netscape.net>
---
 epan/dissectors/packet-slsk.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

(limited to 'epan/dissectors')

diff --git a/epan/dissectors/packet-slsk.c b/epan/dissectors/packet-slsk.c
index 4847d063a2..5707d48a05 100644
--- a/epan/dissectors/packet-slsk.c
+++ b/epan/dissectors/packet-slsk.c
@@ -788,6 +788,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           i=0; j = tvb_get_letohl(tvb, offset);
           proto_tree_add_uint(slsk_tree, hf_slsk_users_in_room, tvb, offset, 4, tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
@@ -805,6 +807,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
             i=0; j = tvb_get_letohl(tvb, offset);
             proto_tree_add_uint(slsk_tree, hf_slsk_users_in_room, tvb, offset, 4, tvb_get_letohl(tvb, offset));
             offset += 4;
+            if (j > tvb_reported_length_remaining(tvb, offset))
+              break;
             while (i<j){
               if (check_slsk_format(tvb, offset, "i*")) {
                 proto_tree_add_uint_format(slsk_tree, hf_slsk_status_code, tvb, offset, 4, tvb_get_letohl(tvb, offset),
@@ -818,6 +822,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
             i=0; j = tvb_get_letohl(tvb, offset);
             proto_tree_add_uint(slsk_tree, hf_slsk_users_in_room, tvb, offset, 4, tvb_get_letohl(tvb, offset));
             offset += 4;
+            if (j > tvb_reported_length_remaining(tvb, offset))
+              break;
             while (i<j){
               if (check_slsk_format(tvb, offset, "iiiii*")) {
                 proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
@@ -844,6 +850,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
             proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
               "Number of Slotsfull Records: %d", tvb_get_letohl(tvb, offset));
             offset += 4;
+            if (j > tvb_reported_length_remaining(tvb, offset))
+              break;
             while (i<j){
               if (check_slsk_format(tvb, offset, "i*")) {
                 proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
@@ -1496,6 +1504,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Recommendations: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "si*")) {
               guint32 len;
@@ -1544,6 +1554,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Recommendations: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "si*")) {
               guint32 len;
@@ -1588,6 +1600,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Recommendations: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
@@ -1619,6 +1633,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_number_of_users, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Strings: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
@@ -1696,6 +1712,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           i=0; j = tvb_get_letohl(tvb, offset);
           proto_tree_add_uint(slsk_tree, hf_slsk_number_of_rooms, tvb, offset, 4, tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
@@ -1801,6 +1819,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           i=0; j = tvb_get_letohl(tvb, offset);
           proto_tree_add_uint(slsk_tree, hf_slsk_users_in_room, tvb, offset, 4, tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
@@ -1831,6 +1851,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
             i=0; j = tvb_get_letohl(tvb, offset);
             proto_tree_add_uint(slsk_tree, hf_slsk_users_in_room, tvb, offset, 4, tvb_get_letohl(tvb, offset));
             offset += 4;
+            if (j > tvb_reported_length_remaining(tvb, offset))
+              break;
             while (i<j){
               if (check_slsk_format(tvb, offset, "iiiii*")) {
                 proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
@@ -1857,6 +1879,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
             proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
               "Number of Slotsfull Records: %d", tvb_get_letohl(tvb, offset));
             offset += 4;
+            if (j > tvb_reported_length_remaining(tvb, offset))
+              break;
             while (i<j){
               if (check_slsk_format(tvb, offset, "i*")) {
                 proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
@@ -1910,6 +1934,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_number_of_users, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Privileged Users: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
@@ -2105,6 +2131,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_number_of_users, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Parent Addresses: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "sii*")) {
               guint32 len;
@@ -2171,6 +2199,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           i=0; j = tvb_get_letohl(tvb, offset);
           proto_tree_add_item(slsk_tree, hf_slsk_number_of_users, tvb, offset, 4, ENC_LITTLE_ENDIAN);
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "si*")) {
               guint32 len;
@@ -2215,6 +2245,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Recommendations: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "si*")) {
               guint32 len;
@@ -2259,6 +2291,8 @@ static int dissect_slsk_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
           proto_tree_add_uint_format(slsk_tree, hf_slsk_integer, tvb, offset, 4, tvb_get_letohl(tvb, offset),
             "Number of Recommendations: %d", tvb_get_letohl(tvb, offset));
           offset += 4;
+          if (j > tvb_reported_length_remaining(tvb, offset))
+            break;
           while (i<j){
             if (check_slsk_format(tvb, offset, "s*")) {
               guint32 len;
-- 
cgit v1.2.3