Add dissection recursion checks.

Enforce a maximum layer limit in call_dissector_work and dissector_try_heuristic. Bug: 15778 Change-Id: I691868e980384b76a64f88de4db5bb7340a7c4aa Reviewed-on: https://code.wireshark.org/review/33301 Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot Reviewed-by: Dario Lombardo <lomato@gmail.com> Reviewed-by: Gerald Combs <gerald@wireshark.org>
2019-05-21 10:41:41 -07:00 · 2019-05-21 10:41:41 -07:00 · be9bdfda02
parent de21932d56
commit be9bdfda02
1 changed files with 10 additions and 0 deletions
--- a/epan/packet.c
+++ b/epan/packet.c
@ -729,6 +729,13 @@ static int
 call_dissector_work_error(dissector_handle_t handle, tvbuff_t *tvb,
 			  packet_info *pinfo_arg, proto_tree *tree, void *);

+/*
+ * XXX packet_info.curr_layer_num is a guint8 and *_MAX_RECURSION_DEPTH is
+ * 100 elsewhere in the code. We should arguably use the same value here,
+ * but using that makes suite_wslua.case_wslua.test_wslua_dissector_fpm fail.
+ */
+#define PINFO_LAYER_MAX_RECURSION_DEPTH 500
+
 static int
 call_dissector_work(dissector_handle_t handle, tvbuff_t *tvb, packet_info *pinfo_arg,
 		    proto_tree *tree, gboolean add_proto_name, void *data)
@ -751,6 +758,7 @@ call_dissector_work(dissector_handle_t handle, tvbuff_t *tvb, packet_info *pinfo
 	saved_proto = pinfo->current_proto;
 	saved_can_desegment = pinfo->can_desegment;
 	saved_layers_len = wmem_list_count(pinfo->layers);
+	DISSECTOR_ASSERT(saved_layers_len < PINFO_LAYER_MAX_RECURSION_DEPTH);

 	/*
 	 * can_desegment is set to 2 by anyone which offers the
@ -2724,6 +2732,8 @@ dissector_try_heuristic(heur_dissector_list_t sub_dissectors, tvbuff_t *tvb,
 	saved_layers_len = wmem_list_count(pinfo->layers);
 	*heur_dtbl_entry = NULL;

+	DISSECTOR_ASSERT(saved_layers_len < PINFO_LAYER_MAX_RECURSION_DEPTH);
+
 	for (entry = sub_dissectors->dissectors; entry != NULL;
 	    entry = g_slist_next(entry)) {
 		/* XXX - why set this now and above? */