From 2bff4c197b9bb9c60de37cc036af9cd60a17245a Mon Sep 17 00:00:00 2001
From: Pascal Quantin <pascal.quantin@gmail.com>
Date: Tue, 13 Feb 2018 21:51:08 +0100
Subject: [PATCH] XRA: protect against potential infinite loops and add
 protocol to release notes

Change-Id: Ib1dc560e0c0c83ada668ada2da799808d5d10fc2
Reviewed-on: https://code.wireshark.org/review/25776
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
---
 docbook/release-notes.asciidoc |  1 +
 epan/dissectors/packet-xra.c   | 12 ++++++------
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/docbook/release-notes.asciidoc b/docbook/release-notes.asciidoc
index dc8bb769b1..20265c6cc8 100644
--- a/docbook/release-notes.asciidoc
+++ b/docbook/release-notes.asciidoc
@@ -85,6 +85,7 @@ Bluetooth Mesh
 Broadcom tags (Broadcom Ethernet switch management frames)
 CVS password server
 CAN-ETH
+Excentis DOCSIS31 XRA header
 FP Mux
 GRPC (gRPC)
 IEEE 1905.1a
diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c
index 5a2aca5642..c331d75e7b 100644
--- a/epan/dissectors/packet-xra.c
+++ b/epan/dissectors/packet-xra.c
@@ -415,7 +415,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
   it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA);
   xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info);
 
-  guint16 tlv_index =0;
+  guint32 tlv_index =0;
   while (tlv_index < tlv_length) {
     guint8 type = tvb_get_guint8 (tvb, tlv_index);
     ++tlv_index;
@@ -450,7 +450,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
         proto_tree_add_item (xra_tlv_cw_info_tree, hf_xra_unknown, tvb, tlv_index, length, ENC_NA);
         break;
     }
-  tlv_index+=length;
+    tlv_index+=length;
   }
 
   return tvb_captured_length(tvb);
@@ -464,7 +464,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
   it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA);
   xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info);
 
-  guint16 tlv_index =0;
+  guint32 tlv_index =0;
   while (tlv_index < tlv_length) {
     guint8 type = tvb_get_guint8 (tvb, tlv_index);
     ++tlv_index;
@@ -484,7 +484,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint
         proto_tree_add_item (xra_tlv_ms_info_tree, hf_xra_unknown, tvb, tlv_index, length, ENC_NA);
         break;
     }
-  tlv_index+=length;
+    tlv_index+=length;
   }
 
   return tvb_captured_length(tvb);
@@ -498,7 +498,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
   it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA);
   xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info);
 
-  guint16 tlv_index =0;
+  guint32 tlv_index =0;
   while (tlv_index < tlv_length) {
     guint8 type = tvb_get_guint8 (tvb, tlv_index);
     ++tlv_index;
@@ -512,7 +512,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu
         proto_tree_add_item (xra_tlv_burst_info_tree, hf_xra_unknown, tvb, tlv_index, length, ENC_NA);
         break;
     }
-  tlv_index+=length;
+    tlv_index+=length;
   }
 
   return tvb_captured_length(tvb);