RTMPT: Fix infinite loop

The RTMPT dissector when over TCP reuses the TCP sequence numbers, so it needs to consider wraparound, which can occur both with the tcp.relative_sequence_numbers preference set to FALSE, or in some unusual cases (such as a SYN packet with a bogus sequence number so that later packets overlap its sequence number.) Change a sequence number comparison to use the wrap around aware macros from packet-tcp.h Fix #17745.
2021-11-24 01:16:44 -05:00 · 2021-11-24 01:16:44 -05:00 · 32bb2a19ee
parent 9dd770fd64
commit 32bb2a19ee
1 changed files with 14 additions and 1 deletions
--- a/epan/dissectors/packet-rtmpt.c
+++ b/epan/dissectors/packet-rtmpt.c
@ -1879,6 +1879,11 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_

        if (pinfo->fd->visited) {
                /* Already done the work, so just dump the existing state */
+                /* XXX: If there's bogus sequence numbers and the
+                 * tcp.analyze_sequence_numbers pref is TRUE, we can't actually
+                 * assume that we processed this frame the first time around,
+                 * since the TCP dissector might not have given it to us.
+                 */
                wmem_stack_t *packets;

                /* List all RTMP packets terminating in this TCP segment, from end to beginning */
@ -1887,10 +1892,18 @@ dissect_rtmpt_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, rtmpt_
                wmem_stack_push(packets, 0);

                tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], seq+remain-1);
-                while (tp && tp->lastseq >= seq) {
+                while (tp && GE_SEQ(tp->lastseq, seq)) {
+                        /* Sequence numbers can wrap around (especially with
+                         * tcp.relative_sequence_numbers FALSE), so use the
+                         * wrap around aware comparison from packet-tcp.h
+                         */
                        wmem_stack_push(packets, tp);
                        if (tp->seq == 0) {
                                // reached first segment.
+                                /* XXX: Assuming tcp.relative_sequence_numbers
+                                 * is TRUE, that is, since on TCP we just
+                                 * reuse the sequence numbers from tcpinfo.
+                                 */
                                break;
                        }
                        tp = (rtmpt_packet_t *)wmem_tree_lookup32_le(rconv->packets[cdir], tp->seq-1);