osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

GSM A: detect buffer overrun when decoding MS Classmark 3 IE 

Change-Id: I12d372afd8a50b9a04f92c53077e79116db6c255
Reviewed-on: https://code.wireshark.org/review/31024
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
This commit is contained in:
Pascal Quantin 2018-12-12 21:35:52 +01:00
parent fcd75fb954
commit 144d481c20
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
epan/dissectors/packet-gsm_a_common.c
View File

@ -758,6 +758,7 @@ static expert_field ei_gsm_a_unknown_pdu_type = EI_INIT;
static expert_field ei_gsm_a_no_element_dissector = EI_INIT;
static expert_field ei_gsm_a_format_not_supported = EI_INIT;
static expert_field ei_gsm_a_mobile_identity_type = EI_INIT;
static expert_field ei_gsm_a_ie_length_too_short = EI_INIT;
sccp_assoc_info_t* sccp_assoc;
@ -2432,8 +2433,10 @@ de_ms_cm_2(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset,
#define AVAILABLE_BITS_CHECK(n) \
bits_left = ((len + offset) << 3) - bit_offset; \
if (bits_left < (n)) { \
if (bits_left) \
if (bits_left > 0) \
proto_tree_add_bits_item(tree, hf_gsm_a_spare_bits, tvb, bit_offset, bits_left, ENC_BIG_ENDIAN); \
else if (bits_left < 0) \
proto_tree_add_expert(tree, pinfo, &ei_gsm_a_ie_length_too_short, tvb, offset, len); \
return len; \
}
@ -2445,7 +2448,8 @@ de_ms_cm_3(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset,
guint8 length;
proto_tree *subtree;
proto_item *item;
guint32 bits_left, target_bit_offset, old_bit_offset;
gint32 bits_left;
guint32 target_bit_offset, old_bit_offset;
guint64 multi_bnd_sup_fields, rsupport, multislotCapability;
guint64 msMeasurementCapability, msPosMethodCapPresent;
guint64 ecsdMultiSlotCapability, eightPskStructPresent, eightPskStructRfPowerCapPresent;
@ -4691,6 +4695,7 @@ proto_register_gsm_a_common(void)
{ &ei_gsm_a_no_element_dissector, { "gsm_a.no_element_dissector", PI_PROTOCOL, PI_WARN, "No element dissector, rest of dissection may be incorrect", EXPFILL }},
{ &ei_gsm_a_format_not_supported, { "gsm_a.format_not_supported", PI_PROTOCOL, PI_WARN, "Format not supported", EXPFILL }},
{ &ei_gsm_a_mobile_identity_type, { "gsm_a.ie.mobileid.type.unknown", PI_PROTOCOL, PI_WARN, "Format unknown", EXPFILL }},
{ &ei_gsm_a_ie_length_too_short, { "gsm_a.ie.length_too_short", PI_PROTOCOL, PI_ERROR, "IE length too short", EXPFILL }}
};
expert_module_t* expert_a_common;