From 8ff55a910ee0408910cbbe6d1823987f47f8f521 Mon Sep 17 00:00:00 2001 From: Evan Huus Date: Sat, 7 Mar 2015 22:14:52 -0500 Subject: [PATCH] forces: make redirecttlv robust to invalid lengths Fixes a potential infinite loop reported by Vlad Tsyrklevich found via the "joern" tool. I'm pretty sure the semantics of proto_tree_add_item would have prevented this, but not 100% and making it explicit doesn't hurt. Bug: 11037 Change-Id: I92049a95d23ca9c233b3fd830637e6bca19a7434 Reviewed-on: https://code.wireshark.org/review/7592 Petri-Dish: Evan Huus Tested-by: Petri Dish Buildbot Reviewed-by: Evan Huus --- epan/dissectors/packet-forces.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/epan/dissectors/packet-forces.c b/epan/dissectors/packet-forces.c index 9fa73bd324..b3c9b36bc9 100644 --- a/epan/dissectors/packet-forces.c +++ b/epan/dissectors/packet-forces.c @@ -436,12 +436,17 @@ dissect_redirecttlv(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint of length_ilv = tvb_get_ntohl(tvb, offset+12); proto_tree_add_uint_format_value(meta_data_ilv_tree, hf_forces_redirect_tlv_meta_data_tlv_meta_data_ilv_length, tvb, offset+12, 4, length_ilv, "%u Bytes", length_ilv); - if (length_ilv > 0) + offset += 8; + if (length_ilv > 0) { proto_tree_add_item(meta_data_ilv_tree, hf_forces_redirect_tlv_meta_data_tlv_meta_data_ilv, - tvb, offset+8, length_ilv, ENC_NA); + tvb, offset, length_ilv, ENC_NA); + + if (offset + length_ilv > offset) { + offset += length_ilv; + } + } proto_item_set_len(ti, length_ilv + 8); - offset += length_ilv + 8; } if (tvb_reported_length_remaining(tvb, offset) > 0)