fixed various issues (two serious ones) found by "private" fuzz-testing

svn path=/trunk/; revision=14830

epan/dissectors/packet-bssgp.c

@@ -1309,6 +1309,7 @@ decode_mobile_identity(bssgp_ie_t *ie, build_info_t *bi, int ie_start_offset) {
   case BSSGP_MOBILE_IDENTITY_TYPE_IMEISV:
     num_digits = 1 + (ie->value_length - 1) * 2;
     if (odd_even != ODD ) num_digits--;
+    if (num_digits > MAX_NUM_IMSI_DIGITS) THROW(ReportedBoundsError);
 
     i = 0;
     digits[i] = get_masked_guint8(data, BSSGP_MASK_LEFT_OCTET_HALF);
@@ -5377,7 +5378,14 @@ decode_pdu_ran_information(build_info_t *bi) {
   decode_pdu_general(ies, 7, bi);
 
   while (tvb_length_remaining(bi->tvb, bi->offset) >= 4) {
+    guint32 org_offset = bi->offset;
+
     decode_ie(&ies[7], bi);
+
+    /* prevent an endless loop */
+    if(org_offset == bi->offset) {
+        THROW(ReportedBoundsError);
+    }
   }
 }
 

epan/dissectors/packet-gsm_a.c

@@ -16373,6 +16373,8 @@ dissect_dtap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 
     default:
 	str = gsm_a_pd_str[pd];
+    /* XXX - hf_idx is still -1! this is a bug in the implementation, and I don't know how to fix it so simple return here */
+    return;
 	break;
     }
 

epan/dissectors/packet-isns.c

@@ -1121,6 +1121,8 @@ AddAttribute(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, guint offset,
         return (offset+8);
     }
     
+    tvb_ensure_bytes_exist(tvb, offset, len);
+
     switch( tag )
     {
     case ISNS_ATTR_TAG_DELIMITER:
@@ -1133,9 +1135,11 @@ AddAttribute(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, guint offset,
 	offset = dissect_isns_attr_integer(tvb, offset, tree, hf_isns_entity_protocol, tag, len, function_id);
 	break;
     case ISNS_ATTR_TAG_MGMT_IP_ADDRESS:
+    if(len != 16) THROW(ReportedBoundsError);
 	offset = dissect_isns_attr_ip_address(tvb, offset, tree, hf_isns_mgmt_ip_addr, tag, len);
 	break;
     case ISNS_ATTR_TAG_TIMESTAMP:
+    if(len != 8) THROW(ReportedBoundsError);
 	offset = dissect_isns_attr_integer(tvb, offset, tree, hf_isns_timestamp, tag, len, function_id);
 	break;
     case ISNS_ATTR_TAG_PROTOCOL_VERSION_RANGE:
@@ -1157,6 +1161,7 @@ AddAttribute(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, guint offset,
 	offset = dissect_isns_attr_not_decoded_yet(tvb, offset, tree, hf_isns_not_decoded_yet, tag, len);
 	break;
     case ISNS_ATTR_TAG_PORTAL_IP_ADDRESS:
+    if(len != 16) THROW(ReportedBoundsError);
 	offset = dissect_isns_attr_ip_address(tvb, offset, tree, hf_isns_portal_ip_addr, tag, len);
 	break;
     case ISNS_ATTR_TAG_PORTAL_PORT:
@@ -1220,6 +1225,7 @@ AddAttribute(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree, guint offset,
 	offset = dissect_isns_attr_string(tvb, offset, tree, hf_isns_pg_iscsi_name, tag, len);
 	break;
     case ISNS_ATTR_TAG_PG_PORTAL_IP_ADDR:
+    if(len != 16) THROW(ReportedBoundsError);
 	offset = dissect_isns_attr_ip_address(tvb, offset, tree, hf_isns_pg_portal_ip_addr, tag, len);
 	break;
     case ISNS_ATTR_TAG_PG_PORTAL_PORT:

epan/dissectors/packet-smpp.c

@@ -2389,7 +2389,21 @@ proto_register_smpp(void)
 		HFILL
 	    }
 	},
-	{   &hf_smpp_user_message_reference,
+    {   &hf_smpp_source_subaddress,
+	    {   "Source Subaddress", "smpp.source_subaddress",
+		FT_STRING, BASE_NONE, NULL, 0x00,
+		"Source Subaddress",
+		HFILL
+	    }
+	},
+    {   &hf_smpp_dest_subaddress,
+	    {   "Destination Subaddress", "smpp.dest_subaddress",
+		FT_STRING, BASE_NONE, NULL, 0x00,
+		"Destination Subaddress",
+		HFILL
+	    }
+	},
+    {   &hf_smpp_user_message_reference,
 	    {   "Message reference", "smpp.user_message_reference",
 		FT_UINT16, BASE_HEX, NULL, 0x00,
 		"Reference to the message, assigned by the user.",