forked from osmocom/wireshark
forces: make redirecttlv robust to invalid lengths
Fixes a potential infinite loop reported by Vlad Tsyrklevich found via the "joern" tool. I'm pretty sure the semantics of proto_tree_add_item would have prevented this, but not 100% and making it explicit doesn't hurt. Bug: 11037 Change-Id: I92049a95d23ca9c233b3fd830637e6bca19a7434 Reviewed-on: https://code.wireshark.org/review/7592 Petri-Dish: Evan Huus <eapache@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Evan Huus <eapache@gmail.com>
This commit is contained in:
parent
5a1b32b769
commit
8ff55a910e
|
@ -436,12 +436,17 @@ dissect_redirecttlv(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gint of
|
||||||
length_ilv = tvb_get_ntohl(tvb, offset+12);
|
length_ilv = tvb_get_ntohl(tvb, offset+12);
|
||||||
proto_tree_add_uint_format_value(meta_data_ilv_tree, hf_forces_redirect_tlv_meta_data_tlv_meta_data_ilv_length,
|
proto_tree_add_uint_format_value(meta_data_ilv_tree, hf_forces_redirect_tlv_meta_data_tlv_meta_data_ilv_length,
|
||||||
tvb, offset+12, 4, length_ilv, "%u Bytes", length_ilv);
|
tvb, offset+12, 4, length_ilv, "%u Bytes", length_ilv);
|
||||||
if (length_ilv > 0)
|
offset += 8;
|
||||||
|
if (length_ilv > 0) {
|
||||||
proto_tree_add_item(meta_data_ilv_tree, hf_forces_redirect_tlv_meta_data_tlv_meta_data_ilv,
|
proto_tree_add_item(meta_data_ilv_tree, hf_forces_redirect_tlv_meta_data_tlv_meta_data_ilv,
|
||||||
tvb, offset+8, length_ilv, ENC_NA);
|
tvb, offset, length_ilv, ENC_NA);
|
||||||
|
|
||||||
|
if (offset + length_ilv > offset) {
|
||||||
|
offset += length_ilv;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
proto_item_set_len(ti, length_ilv + 8);
|
proto_item_set_len(ti, length_ilv + 8);
|
||||||
offset += length_ilv + 8;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (tvb_reported_length_remaining(tvb, offset) > 0)
|
if (tvb_reported_length_remaining(tvb, offset) > 0)
|
||||||
|
|
Loading…
Reference in New Issue