Fix some of the brokenness in the PRP redundancy control trailer dissector.

IF YOU ARE DOING A HEURISTIC CHECK TO DETERMINE WHETHER THE PACKET YOU'RE LOOKING AT IS ONE YOU SHOULD DISSECT, EVEN IN A DISSECTOR THAT'S NOT REGISTERED AS A HEURISTIC DISSECTOR, DO NOT LOOK AT PACKET BYTES UNLESS YOU HAVE ALREADY DETERMINED THAT THEY ARE AVAILABLE IN THE CAPTURE. THERE ARE NO EXCEPTIONS TO THIS RULE. Bug: 9826 Change-Id: I2327a92ee760003bc10489263c0c53acdf2094e9 Reviewed-on: https://code.wireshark.org/review/16092 Reviewed-by: Guy Harris <guy@alum.mit.edu>
2016-06-23 02:33:46 -07:00 · 2016-06-23 02:33:46 -07:00 · a51b6a60b1
parent 6b0923a640
commit a51b6a60b1
1 changed files with 14 additions and 0 deletions
--- a/epan/dissectors/packet-prp.c
+++ b/epan/dissectors/packet-prp.c
@ -93,6 +93,13 @@ dissect_prp_redundancy_control_trailer(tvbuff_t *tvb, packet_info *pinfo _U_, pr
    if(length < 14)
        return 0;

+    /*
+     * This is horribly broken.  It assumes the frame is an Ethernet
+     * frame, with a type field at an offset of 12 bytes from the header.
+     * That is not guaranteed to be true.
+     */
+    if (!tvb_bytes_exist(tvb, 12, 2))
+        return 0;
    if(ETHERTYPE_VLAN == tvb_get_ntohs(tvb, 12)) /* tagged frame */
    {
        offset = 18;
@ -105,6 +112,13 @@ dissect_prp_redundancy_control_trailer(tvbuff_t *tvb, packet_info *pinfo _U_, pr
    if (!tree)
        return tvb_captured_length(tvb);

+    /*
+     * Is there enough data in the packet to every try to search for a
+     * trailer?
+     */
+    if (!tvb_bytes_exist(tvb, (length-4)+2, 2))
+        return 0;  /* no */
+
    /* search for PRP-0 trailer */
    /* If the frame is >  64 bytes, the PRP-0 trailer is always at the end. */
    /* If the frame is <= 64 bytes, the PRP-0 trailer may be anywhere (before the padding) */