forked from osmocom/wireshark
From Evan Huus: There were two cases where we could underflow an unsigned subtraction, leading to huge values and near-infinite loops. Catch them and add an expert_info warning that the packet is bad. Also fix some other expert_info messages to hang off of the right dissection tree. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7125
svn path=/trunk/; revision=42122
This commit is contained in:
Anders Broman
parent
67c79aea50
commit
e6b7af69b5
|
|
@ -3315,6 +3315,7 @@ static void dissect_r3_upstreamfields (tvbuff_t *tvb, guint32 start_offset _U_,
|
|||
guint32 fieldType = tvb_get_guint8 (tvb, offset + 1);
|
||||
guint32 dataLength = fieldLength - 2;
|
||||
proto_item *upstreamfield_item = NULL;
|
||||
proto_item *upstreamfield_length = NULL;
|
||||
proto_tree *upstreamfield_tree = NULL;
|
||||
const gchar *usfn = NULL;
|
||||
|
||||
|
|
@ -3323,9 +3324,15 @@ static void dissect_r3_upstreamfields (tvbuff_t *tvb, guint32 start_offset _U_,
|
|||
upstreamfield_item = proto_tree_add_none_format (tree, hf_r3_upstreamfield, tvb, offset + 0, fieldLength, "Upstream Field: %s (%u)", usfn, fieldType);
|
||||
upstreamfield_tree = proto_item_add_subtree (upstreamfield_item, ett_r3upstreamfield);
|
||||
|
||||
proto_tree_add_item (upstreamfield_tree, hf_r3_upstreamfieldlength, tvb, offset + 0, 1, ENC_LITTLE_ENDIAN);
|
||||
upstreamfield_length = proto_tree_add_item (upstreamfield_tree, hf_r3_upstreamfieldlength, tvb, offset + 0, 1, ENC_LITTLE_ENDIAN);
|
||||
proto_tree_add_item (upstreamfield_tree, hf_r3_upstreamfieldtype, tvb, offset + 1, 1, ENC_LITTLE_ENDIAN);
|
||||
|
||||
if (fieldLength < 2)
|
||||
{
|
||||
dataLength = 0;
|
||||
expert_add_info_format (pinfo, upstreamfield_length, PI_UNDECODED, PI_WARN, "Malformed length value -- all fields are at least 2 octets.");
|
||||
}
|
||||
|
||||
offset += 2;
|
||||
|
||||
switch (fieldType)
|
||||
|
|
@ -4654,15 +4661,22 @@ static void dissect_r3_cmd_manageuser (tvbuff_t *tvb, guint32 start_offset, guin
|
|||
guint32 paramType = tvb_get_guint8 (payload_tvb, offset + 1);
|
||||
guint32 dataLength = paramLength - 2;
|
||||
proto_tree *mu_tree = NULL;
|
||||
proto_item *len_field = NULL;
|
||||
const gchar *auptn = NULL;
|
||||
|
||||
auptn = val_to_str_ext_const (paramType, &r3_adduserparamtypenames_ext, "[Unknown Field]");
|
||||
|
||||
mu_tree = proto_item_add_subtree (proto_tree_add_none_format (tree, hf_r3_adduserparamtype, payload_tvb, offset + 0, paramLength, "Manage User Field: %s (%u)", auptn, paramType), ett_r3manageuser);
|
||||
|
||||
proto_tree_add_item (mu_tree, hf_r3_adduserparamtypelength, payload_tvb, offset + 0, 1, ENC_LITTLE_ENDIAN);
|
||||
len_field = proto_tree_add_item (mu_tree, hf_r3_adduserparamtypelength, payload_tvb, offset + 0, 1, ENC_LITTLE_ENDIAN);
|
||||
proto_tree_add_item (mu_tree, hf_r3_adduserparamtypetype, payload_tvb, offset + 1, 1, ENC_LITTLE_ENDIAN);
|
||||
|
||||
if (paramLength < 2)
|
||||
{
|
||||
dataLength = 0;
|
||||
expert_add_info_format (pinfo, len_field, PI_UNDECODED, PI_WARN, "Malformed length value -- all fields are at least 2 octets.");
|
||||
}
|
||||
|
||||
offset += 2;
|
||||
|
||||
switch (paramType)
|
||||
|
|
@ -4677,14 +4691,14 @@ static void dissect_r3_cmd_manageuser (tvbuff_t *tvb, guint32 start_offset, guin
|
|||
case ADDUSERPARAMTYPE_USECOUNT :
|
||||
case ADDUSERPARAMTYPE_EXCEPTIONGROUP :
|
||||
if (dataLength != 1)
|
||||
expert_add_info_format (pinfo, tree, PI_UNDECODED, PI_WARN, "Malformed field -- expected 1 octet");
|
||||
expert_add_info_format (pinfo, mu_tree, PI_UNDECODED, PI_WARN, "Malformed field -- expected 1 octet");
|
||||
else
|
||||
proto_tree_add_item (mu_tree, hf_r3_adduserparamtypearray [paramType], payload_tvb, offset, dataLength, TRUE);
|
||||
break;
|
||||
|
||||
case ADDUSERPARAMTYPE_USERNO :
|
||||
if (dataLength != 2)
|
||||
expert_add_info_format (pinfo, tree, PI_UNDECODED, PI_WARN, "Malformed field -- expected 2 octets");
|
||||
expert_add_info_format (pinfo, mu_tree, PI_UNDECODED, PI_WARN, "Malformed field -- expected 2 octets");
|
||||
else
|
||||
proto_tree_add_item (mu_tree, hf_r3_adduserparamtypearray [paramType], payload_tvb, offset, dataLength, TRUE);
|
||||
break;
|
||||
|
|
@ -4700,7 +4714,7 @@ static void dissect_r3_cmd_manageuser (tvbuff_t *tvb, guint32 start_offset, guin
|
|||
proto_tree *expireon_tree = NULL;
|
||||
|
||||
if (dataLength != 3)
|
||||
expert_add_info_format (pinfo, tree, PI_UNDECODED, PI_WARN, "Malformed expiration field -- expected 3 octets");
|
||||
expert_add_info_format (pinfo, mu_tree, PI_UNDECODED, PI_WARN, "Malformed expiration field -- expected 3 octets");
|
||||
else
|
||||
{
|
||||
expireon_item = proto_tree_add_text (mu_tree, payload_tvb, offset, 3, "Expire YY/MM/DD: %02u/%02u/%02u",
|
||||
|
|
@ -4722,7 +4736,7 @@ static void dissect_r3_cmd_manageuser (tvbuff_t *tvb, guint32 start_offset, guin
|
|||
proto_tree *timezone_tree = NULL;
|
||||
|
||||
if (dataLength != 4)
|
||||
expert_add_info_format (pinfo, tree, PI_UNDECODED, PI_WARN, "Malformed timezone field -- expected 4 octets");
|
||||
expert_add_info_format (pinfo, mu_tree, PI_UNDECODED, PI_WARN, "Malformed timezone field -- expected 4 octets");
|
||||
else
|
||||
{
|
||||
tz = tvb_get_letohl (payload_tvb, offset);
|
||||
|
|
|
|||
Loading…
Reference in New Issue