From 2193bea3212d74e2a907152055e27d409b59485e Mon Sep 17 00:00:00 2001 From: Pascal Quantin Date: Mon, 25 Jul 2016 17:08:26 +0200 Subject: [PATCH] WAP: check that tvb_get_guintvar does not overflow Bug: 12661 Change-Id: I2ef857d6be6595fd89f3dbb8d41c1c70d550ad93 Reviewed-on: https://code.wireshark.org/review/16665 Reviewed-by: Pascal Quantin Tested-by: Pascal Quantin Reviewed-by: Michael Mann Reviewed-by: Anders Broman --- epan/dissectors/packet-mmse.c | 59 +++++++++------ epan/dissectors/packet-wap.c | 6 +- epan/dissectors/packet-wap.h | 3 +- epan/dissectors/packet-wbxml.c | 132 +++++++++++++++++---------------- epan/dissectors/packet-wsp.c | 56 +++++++------- 5 files changed, 139 insertions(+), 117 deletions(-) diff --git a/epan/dissectors/packet-mmse.c b/epan/dissectors/packet-mmse.c index 9f392ddcf0..561d1e1541 100644 --- a/epan/dissectors/packet-mmse.c +++ b/epan/dissectors/packet-mmse.c @@ -35,6 +35,7 @@ #include +#include #include #include #include "packet-wap.h" @@ -248,6 +249,8 @@ static int hf_mmse_header_bytes = -1; static gint ett_mmse = -1; static gint ett_mmse_hdr_details = -1; +static expert_field ei_mmse_oversized_uintvar = EI_INIT; + /* * Valuestrings for PDU types */ @@ -480,11 +483,12 @@ get_text_string(tvbuff_t *tvb, guint offset, const char **strval) * \param offset Offset within that buffer * \param byte_count Returns the length in bytes of * the "Value-length" field. + * \param pinfo packet_info structure * * \return The actual value of "Value-length" */ static guint -get_value_length(tvbuff_t *tvb, guint offset, guint *byte_count) +get_value_length(tvbuff_t *tvb, guint offset, guint *byte_count, packet_info *pinfo) { guint field; @@ -492,7 +496,7 @@ get_value_length(tvbuff_t *tvb, guint offset, guint *byte_count) if (field < 31) *byte_count = 1; else { /* Must be 31 so, Uintvar follows */ - field = tvb_get_guintvar(tvb, offset, byte_count); + field = tvb_get_guintvar(tvb, offset, byte_count, pinfo, &ei_mmse_oversized_uintvar); (*byte_count)++; } return field; @@ -511,7 +515,7 @@ get_value_length(tvbuff_t *tvb, guint offset, guint *byte_count) * \return The length in bytes of the entire field */ static guint -get_encoded_strval(tvbuff_t *tvb, guint offset, const char **strval) +get_encoded_strval(tvbuff_t *tvb, guint offset, const char **strval, packet_info *pinfo) { guint field; guint length; @@ -520,7 +524,7 @@ get_encoded_strval(tvbuff_t *tvb, guint offset, const char **strval) field = tvb_get_guint8(tvb, offset); if (field < 32) { - length = get_value_length(tvb, offset, &count); + length = get_value_length(tvb, offset, &count, pinfo); if (length < 2) { *strval = ""; } else { @@ -774,7 +778,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, } break; case MM_BCC_HDR: /* Encoded-string-value */ - length = get_encoded_strval(tvb, offset, &strval); + length = get_encoded_strval(tvb, offset, &strval, pinfo); if (tree) { proto_tree_add_string(mmse_tree, hf_mmse_bcc, tvb, offset - 1, length + 1, strval); @@ -782,7 +786,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, offset += length; break; case MM_CC_HDR: /* Encoded-string-value */ - length = get_encoded_strval(tvb, offset, &strval); + length = get_encoded_strval(tvb, offset, &strval, pinfo); if (tree) { proto_tree_add_string(mmse_tree, hf_mmse_cc, tvb, offset - 1, length + 1, strval); @@ -796,7 +800,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, if (length == 0x1F) { guint length_len = 0; length = tvb_get_guintvar(tvb, offset + 1, - &length_len); + &length_len, pinfo, &ei_mmse_oversized_uintvar); length += 1 + length_len; } else { length += 1; @@ -841,7 +845,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, * Value-length(Absolute-token Date-value| * Relative-token Delta-seconds-value) */ - length = get_value_length(tvb, offset, &count); + length = get_value_length(tvb, offset, &count, pinfo); field = tvb_get_guint8(tvb, offset + count); if (tree) { guint tval; @@ -870,7 +874,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, * Value-length(Absolute-token Date-value| * Relative-token Delta-seconds-value) */ - length = get_value_length(tvb, offset, &count); + length = get_value_length(tvb, offset, &count, pinfo); field = tvb_get_guint8(tvb, offset + count); if (tree) { guint tval; @@ -897,7 +901,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, * Value-length(Address-present-token Encoded-string-value * |Insert-address-token) */ - length = get_value_length(tvb, offset, &count); + length = get_value_length(tvb, offset, &count, pinfo); if (tree) { field = tvb_get_guint8(tvb, offset + count); if (field == 0x81) { @@ -906,7 +910,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, ""); } else { (void) get_encoded_strval(tvb, offset + count + 1, - &strval); + &strval, pinfo); proto_tree_add_string(mmse_tree, hf_mmse_from, tvb, offset-1, length + count + 1, strval); } @@ -992,7 +996,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, if (length == 0x1F) { guint length_len = 0; length = tvb_get_guintvar(tvb, offset + 1, - &length_len); + &length_len, pinfo, &ei_mmse_oversized_uintvar); length += 1 + length_len; } else { length += 1; @@ -1004,7 +1008,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, ""); } } else { - length = get_encoded_strval(tvb, offset, &strval); + length = get_encoded_strval(tvb, offset, &strval, pinfo); if (tree) { proto_tree_add_string(mmse_tree, hf_mmse_response_text, tvb, offset - 1, @@ -1028,7 +1032,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, } break; case MM_SUBJECT_HDR: /* Encoded-string-value */ - length = get_encoded_strval(tvb, offset, &strval); + length = get_encoded_strval(tvb, offset, &strval, pinfo); if (tree) { proto_tree_add_string(mmse_tree, hf_mmse_subject, tvb, offset - 1, length + 1, strval); @@ -1036,7 +1040,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, offset += length; break; case MM_TO_HDR: /* Encoded-string-value */ - length = get_encoded_strval(tvb, offset, &strval); + length = get_encoded_strval(tvb, offset, &strval, pinfo); if (tree) { proto_tree_add_string(mmse_tree, hf_mmse_to, tvb, offset - 1, length + 1, strval); @@ -1061,7 +1065,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, if (length == 0x1F) { guint length_len = 0; length = tvb_get_guintvar(tvb, offset + 1, - &length_len); + &length_len, pinfo, &ei_mmse_oversized_uintvar); length += 1 + length_len; } else { length += 1; @@ -1074,7 +1078,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, } } else { /* Encoded-string-value */ - length = get_encoded_strval(tvb, offset, &strval); + length = get_encoded_strval(tvb, offset, &strval, pinfo); if (tree) { proto_tree_add_string(mmse_tree, hf_mmse_retrieve_text, tvb, offset - 1, @@ -1102,7 +1106,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, * Value-length(Absolute-token Date-value| * Relative-token Delta-seconds-value) */ - length = get_value_length(tvb, offset, &count); + length = get_value_length(tvb, offset, &count, pinfo); field = tvb_get_guint8(tvb, offset + count); if (tree) { guint tval; @@ -1144,7 +1148,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, break; case MM_PREV_SENT_BY_HDR: /* Value-length Integer-value Encoded-string-value */ - length = get_value_length(tvb, offset, &count); + length = get_value_length(tvb, offset, &count, pinfo); if (tree) { guint32 fwd_count, count1, count2; proto_tree *subtree = NULL; @@ -1154,7 +1158,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, &count1); /* 2. Encoded-string-value */ count2 = get_encoded_strval(tvb, - offset + count + count1, &strval); + offset + count + count1, &strval, pinfo); /* Now render the fields */ tii = proto_tree_add_string_format(mmse_tree, hf_mmse_prev_sent_by, @@ -1175,7 +1179,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, break; case MM_PREV_SENT_DATE_HDR: /* Value-Length Forwarded-count-value Date-value */ - length = get_value_length(tvb, offset, &count); + length = get_value_length(tvb, offset, &count, pinfo); if (tree) { guint32 fwd_count, count1, count2; guint tval; @@ -1242,7 +1246,7 @@ dissect_mmse(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 pdut, if (peek == 0x1F) { /* Value length in guintvar */ guint length_len = 0; length = 1 + tvb_get_guintvar(tvb, offset + 1, - &length_len); + &length_len, pinfo, &ei_mmse_oversized_uintvar); length += length_len; } else { /* Value length in octet */ length = 1 + tvb_get_guint8(tvb, offset); @@ -1647,13 +1651,22 @@ proto_register_mmse(void) &ett_mmse_hdr_details, }; - /* Register the protocol name and description */ + static ei_register_info ei[] = { + { &ei_mmse_oversized_uintvar, { "mmse.oversized_uintvar", PI_MALFORMED, PI_ERROR, "Uintvar is oversized", EXPFILL }} + }; + + expert_module_t* expert_mmse; + + /* Register the protocol name and description */ proto_mmse = proto_register_protocol("MMS Message Encapsulation", "MMSE", "mmse"); /* Required function calls to register header fields and subtrees used */ proto_register_field_array(proto_mmse, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); + + expert_mmse = expert_register_protocol(proto_mmse); + expert_register_field_array(expert_mmse, ei, array_length(ei)); } /* If this dissector uses sub-dissector registration add registration routine. diff --git a/epan/dissectors/packet-wap.c b/epan/dissectors/packet-wap.c index a8737f0eea..0c803110af 100644 --- a/epan/dissectors/packet-wap.c +++ b/epan/dissectors/packet-wap.c @@ -38,7 +38,7 @@ * the final value. Can be pre-initialised to start at offset+count. */ guint -tvb_get_guintvar (tvbuff_t *tvb, guint offset, guint *octetCount) +tvb_get_guintvar (tvbuff_t *tvb, guint offset, guint *octetCount, packet_info *pinfo, expert_field *ei) { guint value = 0; guint octet; @@ -70,6 +70,10 @@ tvb_get_guintvar (tvbuff_t *tvb, guint offset, guint *octetCount) #endif } + if (counter > 5) { + proto_tree_add_expert(NULL, pinfo, ei, tvb, offset, counter); + value = 0; + } if (octetCount != NULL) { *octetCount = counter; diff --git a/epan/dissectors/packet-wap.h b/epan/dissectors/packet-wap.h index cf627d31a1..f27da84971 100644 --- a/epan/dissectors/packet-wap.h +++ b/epan/dissectors/packet-wap.h @@ -30,6 +30,7 @@ #include #include +#include /* Port Numbers as per IANA */ /* < URL:http://www.iana.org/assignments/port-numbers/ > */ @@ -69,7 +70,7 @@ */ /* Utility function for reading Uintvar encoded values */ -guint tvb_get_guintvar (tvbuff_t *, guint , guint *); +guint tvb_get_guintvar (tvbuff_t *, guint , guint *, packet_info *, expert_field *); /* * Misc TODO: diff --git a/epan/dissectors/packet-wbxml.c b/epan/dissectors/packet-wbxml.c index 2290eb40ac..54948ca1be 100644 --- a/epan/dissectors/packet-wbxml.c +++ b/epan/dissectors/packet-wbxml.c @@ -177,6 +177,7 @@ static gint ett_wbxml_string_table_item = -1; static expert_field ei_wbxml_data_not_shown = EI_INIT; static expert_field ei_wbxml_content_type_not_supported = EI_INIT; static expert_field ei_wbxml_content_type_disabled = EI_INIT; +static expert_field ei_wbxml_oversized_uintvar = EI_INIT; /* WBXML Preferences */ static gboolean skip_wbxml_token_mapping = FALSE; @@ -266,14 +267,14 @@ typedef char * (* ext_t_func_ptr)(tvbuff_t *, guint32, guint32); * char * opaque_literal_function(tvbuff_t *tvb, guint32 offset, * const char *token, guint8 codepage, guint32 *length); */ -typedef char * (* opaque_token_func_ptr)(tvbuff_t *, guint32, guint8, guint8, guint32 *); -typedef char * (* opaque_literal_func_ptr)(tvbuff_t *, guint32, const char *, guint8, guint32 *); +typedef char * (* opaque_token_func_ptr)(tvbuff_t *, guint32, guint8, guint8, guint32 *, packet_info *); +typedef char * (* opaque_literal_func_ptr)(tvbuff_t *, guint32, const char *, guint8, guint32 *, packet_info *); static char * default_opaque_binary_tag(tvbuff_t *tvb, guint32 offset, - guint8 token _U_, guint8 codepage _U_, guint32 *length) + guint8 token _U_, guint8 codepage _U_, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = wmem_strdup_printf(wmem_packet_scope(), "(%u bytes of opaque data)", data_len); *length += data_len; return str; @@ -281,9 +282,9 @@ default_opaque_binary_tag(tvbuff_t *tvb, guint32 offset, static char * default_opaque_literal_tag(tvbuff_t *tvb, guint32 offset, - const char *token _U_, guint8 codepage _U_, guint32 *length) + const char *token _U_, guint8 codepage _U_, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = wmem_strdup_printf(wmem_packet_scope(), "(%u bytes of opaque data)", data_len); *length += data_len; return str; @@ -291,9 +292,9 @@ default_opaque_literal_tag(tvbuff_t *tvb, guint32 offset, static char * default_opaque_binary_attr(tvbuff_t *tvb, guint32 offset, - guint8 token _U_, guint8 codepage _U_, guint32 *length) + guint8 token _U_, guint8 codepage _U_, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = wmem_strdup_printf(wmem_packet_scope(), "(%u bytes of opaque data)", data_len); *length += data_len; return str; @@ -301,9 +302,9 @@ default_opaque_binary_attr(tvbuff_t *tvb, guint32 offset, static char * default_opaque_literal_attr(tvbuff_t *tvb, guint32 offset, - const char *token _U_, guint8 codepage _U_, guint32 *length) + const char *token _U_, guint8 codepage _U_, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = wmem_strdup_printf(wmem_packet_scope(), "(%u bytes of opaque data)", data_len); *length += data_len; return str; @@ -444,9 +445,9 @@ wv_integer_from_opaque(tvbuff_t *tvb, guint32 offset, guint32 data_len) static char * wv_csp10_opaque_binary_tag(tvbuff_t *tvb, guint32 offset, - guint8 token, guint8 codepage, guint32 *length) + guint8 token, guint8 codepage, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = NULL; switch (codepage) { @@ -507,9 +508,9 @@ wv_csp10_opaque_binary_tag(tvbuff_t *tvb, guint32 offset, static char * wv_csp10_opaque_literal_tag(tvbuff_t *tvb, guint32 offset, - const char *token, guint8 codepage _U_, guint32 *length) + const char *token, guint8 codepage _U_, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = NULL; if ( token && ( (strcmp(token, "Code") == 0) @@ -542,9 +543,9 @@ wv_csp10_opaque_literal_tag(tvbuff_t *tvb, guint32 offset, static char * wv_csp11_opaque_binary_tag(tvbuff_t *tvb, guint32 offset, - guint8 token, guint8 codepage, guint32 *length) + guint8 token, guint8 codepage, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = NULL; switch (codepage) { @@ -614,9 +615,9 @@ wv_csp11_opaque_binary_tag(tvbuff_t *tvb, guint32 offset, static char * wv_csp11_opaque_literal_tag(tvbuff_t *tvb, guint32 offset, - const char *token, guint8 codepage _U_, guint32 *length) + const char *token, guint8 codepage _U_, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = NULL; if ( token && ( (strcmp(token, "Code") == 0) @@ -651,9 +652,9 @@ wv_csp11_opaque_literal_tag(tvbuff_t *tvb, guint32 offset, static char * wv_csp12_opaque_binary_tag(tvbuff_t *tvb, guint32 offset, - guint8 token, guint8 codepage, guint32 *length) + guint8 token, guint8 codepage, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = NULL; switch (codepage) { @@ -734,9 +735,9 @@ wv_csp12_opaque_binary_tag(tvbuff_t *tvb, guint32 offset, static char * wv_csp12_opaque_literal_tag(tvbuff_t *tvb, guint32 offset, - const char *token, guint8 codepage _U_, guint32 *length) + const char *token, guint8 codepage _U_, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = NULL; if ( token && ( (strcmp(token, "Code") == 0) @@ -772,9 +773,9 @@ wv_csp12_opaque_literal_tag(tvbuff_t *tvb, guint32 offset, static char * wv_csp13_opaque_binary_tag(tvbuff_t *tvb, guint32 offset, - guint8 token, guint8 codepage, guint32 *length) + guint8 token, guint8 codepage, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = NULL; switch (codepage) @@ -911,9 +912,9 @@ wv_csp13_opaque_binary_tag(tvbuff_t *tvb, guint32 offset, static char * wv_csp13_opaque_literal_tag(tvbuff_t *tvb, guint32 offset, - const char *token, guint8 codepage _U_, guint32 *length) + const char *token, guint8 codepage _U_, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = NULL; if ( token && ( (strcmp(token, "Code") == 0) @@ -969,9 +970,9 @@ wv_csp13_opaque_literal_tag(tvbuff_t *tvb, guint32 offset, static char * sic10_opaque_literal_attr(tvbuff_t *tvb, guint32 offset, - const char *token, guint8 codepage _U_, guint32 *length) + const char *token, guint8 codepage _U_, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = NULL; if ( token && ( (strcmp(token, "created") == 0) @@ -989,9 +990,9 @@ sic10_opaque_literal_attr(tvbuff_t *tvb, guint32 offset, static char * sic10_opaque_binary_attr(tvbuff_t *tvb, guint32 offset, - guint8 token, guint8 codepage, guint32 *length) + guint8 token, guint8 codepage, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = NULL; switch (codepage) { @@ -1019,9 +1020,9 @@ sic10_opaque_binary_attr(tvbuff_t *tvb, guint32 offset, static char * emnc10_opaque_literal_attr(tvbuff_t *tvb, guint32 offset, - const char *token, guint8 codepage _U_, guint32 *length) + const char *token, guint8 codepage _U_, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = NULL; if ( token && (strcmp(token, "timestamp") == 0) ) @@ -1038,9 +1039,9 @@ emnc10_opaque_literal_attr(tvbuff_t *tvb, guint32 offset, static char * emnc10_opaque_binary_attr(tvbuff_t *tvb, guint32 offset, - guint8 token, guint8 codepage, guint32 *length) + guint8 token, guint8 codepage, guint32 *length, packet_info *pinfo) { - guint32 data_len = tvb_get_guintvar(tvb, offset, length); + guint32 data_len = tvb_get_guintvar(tvb, offset, length, pinfo, &ei_wbxml_oversized_uintvar); char *str = NULL; switch (codepage) { @@ -7050,7 +7051,7 @@ static const char * Indent (guint8 level) { * NOTE: See above for known token mappings. */ static guint32 -parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb, +parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, guint32 offset, guint32 str_tbl, guint8 level, guint8 *codepage_attr, const wbxml_decoding *map) { @@ -7091,7 +7092,7 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb, level, off - offset)); return (off - offset); case 0x02: /* ENTITY */ - ent = tvb_get_guintvar (tvb, off+1, &len); + ent = tvb_get_guintvar (tvb, off+1, &len, pinfo, &ei_wbxml_oversized_uintvar); proto_tree_add_uint_format(tree, hf_wbxml_entity, tvb, off, 1+len, ent, " %3d | Attr | A %3d | ENTITY | %s'&#%u;'", level, *codepage_attr, Indent (level), ent); @@ -7109,7 +7110,7 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb, /* ALWAYS means the start of a new attribute, * and may only contain the NAME of the attribute. */ - idx = tvb_get_guintvar (tvb, off+1, &len); + idx = tvb_get_guintvar (tvb, off+1, &len, pinfo, &ei_wbxml_oversized_uintvar); str_len = tvb_strsize (tvb, str_tbl+idx); attr_save_known = 0; attr_save_literal = tvb_format_text (tvb, @@ -7137,7 +7138,7 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb, case 0x81: /* EXT_T_1 */ case 0x82: /* EXT_T_2 */ /* Extension tokens */ - idx = tvb_get_guintvar (tvb, off+1, &len); + idx = tvb_get_guintvar (tvb, off+1, &len, pinfo, &ei_wbxml_oversized_uintvar); { char *s; if (map != NULL) { @@ -7158,7 +7159,7 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb, off += 1+len; break; case 0x83: /* STR_T */ - idx = tvb_get_guintvar (tvb, off+1, &len); + idx = tvb_get_guintvar (tvb, off+1, &len, pinfo, &ei_wbxml_oversized_uintvar); str_len = tvb_strsize (tvb, str_tbl+idx); str = tvb_format_text (tvb, str_tbl+idx, str_len-1); proto_tree_add_string_format(tree, hf_wbxml_str_t, tvb, off, 1+len, str, @@ -7184,18 +7185,18 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb, if (attr_save_known) { /* Knwon attribute */ if (map->opaque_binary_attr) { tmp_str = map->opaque_binary_attr(tvb, off + 1, - attr_save_known, *codepage_attr, &len); + attr_save_known, *codepage_attr, &len, pinfo); } else { tmp_str = default_opaque_binary_attr(tvb, off + 1, - attr_save_known, *codepage_attr, &len); + attr_save_known, *codepage_attr, &len, pinfo); } } else { /* lITERAL attribute */ if (map->opaque_literal_tag) { tmp_str = map->opaque_literal_attr(tvb, off + 1, - attr_save_literal, *codepage_attr, &len); + attr_save_literal, *codepage_attr, &len, pinfo); } else { tmp_str = default_opaque_literal_attr(tvb, off + 1, - attr_save_literal, *codepage_attr, &len); + attr_save_literal, *codepage_attr, &len, pinfo); } } proto_tree_add_bytes_format(tree, hf_wbxml_opaque_data, tvb, off, 1 + len, NULL, @@ -7203,7 +7204,7 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb, level, *codepage_attr, Indent (level), tmp_str); off += 1 + len; } else { - idx = tvb_get_guintvar (tvb, off+1, &len); + idx = tvb_get_guintvar (tvb, off+1, &len, pinfo, &ei_wbxml_oversized_uintvar); proto_tree_add_bytes_format(tree, hf_wbxml_opaque_data, tvb, off, 1 + len + idx, NULL, " %3d | Attr | A %3d | OPAQUE (Opaque data) | %s(%u bytes of opaque data)", level, *codepage_attr, Indent (level), idx); @@ -7285,7 +7286,7 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb, * the used code page. */ static guint32 -parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset, +parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, guint32 offset, guint32 str_tbl, guint8 *level, guint8 *codepage_stag, guint8 *codepage_attr, const wbxml_decoding *map) { @@ -7339,7 +7340,7 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset, DebugLog(("STAG: level = %u, Return: len = %u\n", *level, off - offset)); return (off - offset); case 0x02: /* ENTITY */ - ent = tvb_get_guintvar (tvb, off+1, &len); + ent = tvb_get_guintvar (tvb, off+1, &len, pinfo, &ei_wbxml_oversized_uintvar); proto_tree_add_uint_format(tree, hf_wbxml_entity, tvb, off, 1+len, ent, " %3d | Tag | T %3d | ENTITY | %s'&#%u;'", *level, *codepage_stag, Indent (*level), ent); @@ -7372,7 +7373,7 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset, proto_tree_add_none_format(tree, hf_wbxml_pi_xml, tvb, off, 1, " %3d | Tag | T %3d | PI (XML Processing Instruction) | %sopaque_binary_tag) { tmp_str = map->opaque_binary_tag(tvb, off + 1, - tag_save_known, *codepage_stag, &len); + tag_save_known, *codepage_stag, &len, pinfo); } else { tmp_str = default_opaque_binary_tag(tvb, off + 1, - tag_save_known, *codepage_stag, &len); + tag_save_known, *codepage_stag, &len, pinfo); } } else { /* lITERAL tag */ if (map->opaque_literal_tag) { tmp_str = map->opaque_literal_tag(tvb, off + 1, - tag_save_literal, *codepage_stag, &len); + tag_save_literal, *codepage_stag, &len, pinfo); } else { tmp_str = default_opaque_literal_tag(tvb, off + 1, - tag_save_literal, *codepage_stag, &len); + tag_save_literal, *codepage_stag, &len, pinfo); } } proto_tree_add_bytes_format(tree, hf_wbxml_opaque_data, tvb, off, 1 + len, NULL, @@ -7458,7 +7459,7 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset, *level, *codepage_stag, Indent (*level), tmp_str); off += 1 + len; } else { - idx = tvb_get_guintvar (tvb, off+1, &len); + idx = tvb_get_guintvar (tvb, off+1, &len, pinfo, &ei_wbxml_oversized_uintvar); proto_tree_add_bytes_format(tree, hf_wbxml_opaque_data, tvb, off, 1 + len + idx, NULL, " %3d | Tag | T %3d | OPAQUE (Opaque data) | %s(%u bytes of opaque data)", *level, *codepage_stag, Indent (*level), idx); @@ -7494,7 +7495,7 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset, tag_len = 0; if ((peek & 0x3F) == 4) { /* LITERAL */ DebugLog(("STAG: LITERAL tag (peek = 0x%02X, off = %u) - TableRef follows!\n", peek, off)); - idx = tvb_get_guintvar (tvb, off+1, &tag_len); + idx = tvb_get_guintvar (tvb, off+1, &tag_len, pinfo, &ei_wbxml_oversized_uintvar); str_len = tvb_strsize (tvb, str_tbl+idx); tag_new_literal = (const gchar*)tvb_get_ptr (tvb, str_tbl+idx, str_len); tag_new_known = 0; /* invalidate known tag_new */ @@ -7522,7 +7523,7 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset, /* Do not process the attribute list: * recursion will take care of it */ (*level)++; - len = parse_wbxml_tag_defined (tree, tvb, off, str_tbl, + len = parse_wbxml_tag_defined (tree, tvb, pinfo, off, str_tbl, level, codepage_stag, codepage_attr, map); off += len; } else { /* Now we will have content to parse */ @@ -7550,7 +7551,7 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset, *level, *codepage_stag, Indent (*level), tag_new_literal); off += 1 + tag_len; } - len = parse_wbxml_attribute_list_defined (tree, tvb, + len = parse_wbxml_attribute_list_defined (tree, tvb, pinfo, off, str_tbl, *level, codepage_attr, map); /* Check that there is still room in packet */ off += len; @@ -7599,7 +7600,7 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset, Indent (*level), tag_new_literal); /* Tag string already looked up earlier! */ off++; - len = parse_wbxml_attribute_list_defined (tree, tvb, + len = parse_wbxml_attribute_list_defined (tree, tvb, pinfo, off, str_tbl, *level, codepage_attr, map); /* Check that there is still room in packet */ off += len; @@ -7618,7 +7619,7 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset, " %3d | Tag | T %3d | LITERAL_A (Literal Tag) (A.) | %s<%s", *level, *codepage_stag, Indent (*level), tag_new_literal); off += 1 + tag_len; - len = parse_wbxml_attribute_list_defined (tree, tvb, + len = parse_wbxml_attribute_list_defined (tree, tvb, pinfo, off, str_tbl, *level, codepage_attr, map); /* Check that there is still room in packet */ off += len; @@ -7721,10 +7722,10 @@ dissect_wbxml_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, */ /* Public ID */ - publicid = tvb_get_guintvar(tvb, 1, &publicid_len); + publicid = tvb_get_guintvar(tvb, 1, &publicid_len, pinfo, &ei_wbxml_oversized_uintvar); if (! publicid) { /* Public identifier in string table */ - publicid_index = tvb_get_guintvar (tvb, 1+publicid_len, &len); + publicid_index = tvb_get_guintvar (tvb, 1+publicid_len, &len, pinfo, &ei_wbxml_oversized_uintvar); publicid_len += len; } offset = 1 + publicid_len; @@ -7739,7 +7740,7 @@ dissect_wbxml_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, case 0x02: /* WBXML/1.2 */ case 0x03: /* WBXML/1.3 */ /* Get charset */ - charset = tvb_get_guintvar (tvb, offset, &charset_len); + charset = tvb_get_guintvar (tvb, offset, &charset_len, pinfo, &ei_wbxml_oversized_uintvar); offset += charset_len; break; @@ -7749,7 +7750,7 @@ dissect_wbxml_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, } /* String table: read string table length in bytes */ - tvb_get_guintvar (tvb, offset, &str_tbl_len_len); + tvb_get_guintvar (tvb, offset, &str_tbl_len_len, pinfo, &ei_wbxml_oversized_uintvar); str_tbl = offset + str_tbl_len_len; /* Start of 1st string in string table */ /* Compose the summary line */ @@ -7797,7 +7798,7 @@ dissect_wbxml_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, offset += charset_len; } - str_tbl_len = tvb_get_guintvar (tvb, offset, &len); + str_tbl_len = tvb_get_guintvar (tvb, offset, &len, pinfo, &ei_wbxml_oversized_uintvar); str_tbl = offset + len; /* Start of 1st string in string table */ /* String Table */ @@ -7856,7 +7857,7 @@ dissect_wbxml_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, /* If content_map == NULL, WBXML only, no interpretation of the content */ len = parse_wbxml_tag_defined (tag_tree, - tvb, offset, str_tbl, &level, &codepage_stag, + tvb, pinfo, offset, str_tbl, &level, &codepage_stag, &codepage_attr, content_map); } @@ -8105,6 +8106,7 @@ proto_register_wbxml(void) { &ei_wbxml_data_not_shown, { "wbxml.data_not_shown", PI_PROTOCOL, PI_NOTE, "Data representation not shown (edit WBXML preferences to show)", EXPFILL }}, { &ei_wbxml_content_type_not_supported, { "wbxml.content_type.not_supported", PI_UNDECODED, PI_WARN, "Rendering of this content type not (yet) supported", EXPFILL }}, { &ei_wbxml_content_type_disabled, { "wbxml.content_type.disabled", PI_PROTOCOL, PI_NOTE, "Rendering of this content type has been disabled (edit WBXML preferences to enable)", EXPFILL }}, + { &ei_wbxml_oversized_uintvar, { "wbxml.oversized_uintvar", PI_MALFORMED, PI_ERROR, "Uintvar is oversized", EXPFILL }} }; expert_module_t* expert_wbxml; diff --git a/epan/dissectors/packet-wsp.c b/epan/dissectors/packet-wsp.c index 2b2b18922a..fec6900c6d 100644 --- a/epan/dissectors/packet-wsp.c +++ b/epan/dissectors/packet-wsp.c @@ -380,6 +380,7 @@ static expert_field ei_wsp_undecoded_parameter = EI_INIT; static expert_field ei_hdr_x_wap_tod = EI_INIT; static expert_field ei_wsp_trailing_quote = EI_INIT; static expert_field ei_wsp_header_invalid = EI_INIT; +static expert_field ei_wsp_oversized_uintvar = EI_INIT; /* Handle for WSP-over-UDP dissector */ @@ -1291,7 +1292,7 @@ static void add_headers (proto_tree *tree, tvbuff_t *tvb, int hf, packet_info *p #define is_uri_value(x) is_text_string(x) #define get_uintvar_integer(val,tvb,start,len,ok) \ - val = tvb_get_guintvar(tvb,start,&len); \ + val = tvb_get_guintvar(tvb,start,&len, pinfo, &ei_wsp_oversized_uintvar); \ if (len>5) ok = FALSE; else ok = TRUE; #define get_short_integer(val,tvb,start,len,ok) \ val = tvb_get_guint8(tvb,start); \ @@ -1438,7 +1439,7 @@ parameter_value_q (proto_tree *tree, packet_info *pinfo, proto_item *ti, tvbuff_ /* END */ \ } else { /* val_start points to 1st byte of length field */ \ if (val_id == 0x1F) { /* Value Length = guintvar */ \ - val_len = tvb_get_guintvar(tvb, val_start + 1, &val_len_len); \ + val_len = tvb_get_guintvar(tvb, val_start + 1, &val_len_len, pinfo, &ei_wsp_oversized_uintvar); \ val_len_len++; /* 0x1F length indicator byte */ \ } else { /* Short length followed by Len data octets */ \ val_len = tvb_get_guint8(tvb, offset); \ @@ -4529,7 +4530,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) tvb, 0, 1, version); /* Length of Application-Id headers list */ - val_len = tvb_get_guintvar(tvb, 1, &len); + val_len = tvb_get_guintvar(tvb, 1, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_app_id_list_len, tvb, 1, len, val_len); offset = 1 + len; @@ -4539,7 +4540,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) offset += val_len; /* Length of WSP contact points list */ - val_len = tvb_get_guintvar(tvb, offset, &len); + val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_wsp_contact_points_len, tvb, offset, len, val_len); offset += len; @@ -4554,7 +4555,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) offset += val_len; /* Length of non-WSP contact points list */ - val_len = tvb_get_guintvar(tvb, offset, &len); + val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_contact_points_len, tvb, offset, len, val_len); offset += len; @@ -4565,7 +4566,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) offset += val_len; /* Number of entries in the Protocol Options list */ - val_len = tvb_get_guintvar(tvb, offset, &len); + val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_protocol_options_len, tvb, offset, len, val_len); offset += len; @@ -4574,14 +4575,14 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) val_len_save = val_len; for (i = 0; i < val_len_save; i++) { - val_len = tvb_get_guintvar(tvb, offset, &len); + val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_protocol_options, tvb, offset, len, val_len); offset += len; } /* Length of ProvURL */ - val_len = tvb_get_guintvar(tvb, offset, &len); + val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_prov_url_len, tvb, offset, len, val_len); offset += len; @@ -4591,7 +4592,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) offset += val_len; /* Number of entries in the CPITag list */ - val_len = tvb_get_guintvar(tvb, offset, &len); + val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_cpi_tag_len, tvb, offset, len, val_len); offset += len; @@ -4706,7 +4707,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, offset++; } else { count = 0; /* Initialise count */ - value = tvb_get_guintvar (tvb, offset, &count); + value = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint (wsp_tree, hf_wsp_server_session_id, tvb, offset, count, value); @@ -4714,7 +4715,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, offset += count; } count = 0; /* Initialise count */ - capabilityLength = tvb_get_guintvar (tvb, offset, &count); + capabilityLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint (wsp_tree, hf_capabilities_length, tvb, offset, count, capabilityLength); offset += count; @@ -4722,7 +4723,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, if (pdut != WSP_PDU_RESUME) { count = 0; /* Initialise count */ - headerLength = tvb_get_guintvar (tvb, offset, &count); + headerLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint (wsp_tree, hf_wsp_header_length, tvb, offset, count, headerLength); offset += count; @@ -4759,7 +4760,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, case WSP_PDU_SUSPEND: if (tree) { count = 0; /* Initialise count */ - value = tvb_get_guintvar (tvb, offset, &count); + value = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint (wsp_tree, hf_wsp_server_session_id, tvb, offset, count, value); @@ -4774,7 +4775,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, case WSP_PDU_TRACE: count = 0; /* Initialise count */ /* Length of URI and size of URILen field */ - value = tvb_get_guintvar (tvb, offset, &count); + value = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); nextOffset = offset + count; add_uri (wsp_tree, pinfo, tvb, offset, nextOffset, proto_ti); if (tree) { @@ -4788,10 +4789,10 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, case WSP_PDU_PUT: uriStart = offset; count = 0; /* Initialise count */ - uriLength = tvb_get_guintvar (tvb, offset, &count); + uriLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); headerStart = uriStart+count; count = 0; /* Initialise count */ - headersLength = tvb_get_guintvar (tvb, headerStart, &count); + headersLength = tvb_get_guintvar (tvb, headerStart, &count, pinfo, &ei_wsp_oversized_uintvar); offset = headerStart + count; add_uri (wsp_tree, pinfo, tvb, uriStart, offset, proto_ti); @@ -4869,7 +4870,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, case WSP_PDU_REPLY: count = 0; /* Initialise count */ - headersLength = tvb_get_guintvar (tvb, offset+1, &count); + headersLength = tvb_get_guintvar (tvb, offset+1, &count, pinfo, &ei_wsp_oversized_uintvar); headerStart = offset + count + 1; { guint8 reply_status = tvb_get_guint8(tvb, offset); @@ -4960,7 +4961,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, case WSP_PDU_PUSH: case WSP_PDU_CONFIRMEDPUSH: count = 0; /* Initialise count */ - headersLength = tvb_get_guintvar (tvb, offset, &count); + headersLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); headerStart = offset + count; proto_tree_add_uint (wsp_tree, hf_wsp_header_length, @@ -5095,7 +5096,7 @@ add_uri (proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, guint URILenOffset, guint URIOffset, proto_item *proto_ti) { guint count = 0; - guint uriLen = tvb_get_guintvar (tvb, URILenOffset, &count); + guint uriLen = tvb_get_guintvar (tvb, URILenOffset, &count, pinfo, &ei_wsp_oversized_uintvar); gchar *str; proto_tree_add_uint (tree, hf_wsp_header_uri_len, @@ -5183,7 +5184,7 @@ add_capabilities (proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, guint8 pd * Now Offset points to the 1st byte of a capability field. * Get the length of the capability field */ - capaValueLen = tvb_get_guintvar(tvb, offset, &len); + capaValueLen = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); capaLen = capaValueLen + len; cap_subtree = proto_tree_add_subtree(wsp_capabilities, tvb, offset, capaLen, ett_capabilities_entry, &cap_item, "Capability"); @@ -5244,12 +5245,12 @@ add_capabilities (proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, guint8 pd /* Now the capability type is known */ switch (peek) { case WSP_CAPA_CLIENT_SDU_SIZE: - value = tvb_get_guintvar(tvb, offset, &len); + value = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(cap_subtree, hf_capa_client_sdu_size, tvb, offset, len, value); break; case WSP_CAPA_SERVER_SDU_SIZE: - value = tvb_get_guintvar(tvb, offset, &len); + value = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(cap_subtree, hf_capa_server_sdu_size, tvb, offset, len, value); break; @@ -5352,12 +5353,12 @@ add_capabilities (proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, guint8 pd tvb, capaStart, capaLen, ENC_NA); break; case WSP_CAPA_CLIENT_MESSAGE_SIZE: - value = tvb_get_guintvar(tvb, offset, &len); + value = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(cap_subtree, hf_capa_client_message_size, tvb, offset, len, value); break; case WSP_CAPA_SERVER_MESSAGE_SIZE: - value = tvb_get_guintvar(tvb, offset, &len); + value = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(cap_subtree, hf_capa_server_message_size, tvb, offset, len, value); break; @@ -5489,7 +5490,7 @@ add_multipart_data (proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo) heur_dtbl_entry_t *hdtbl_entry; - nEntries = tvb_get_guintvar (tvb, offset, &count); + nEntries = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); offset += count; if (nEntries) { @@ -5499,9 +5500,9 @@ add_multipart_data (proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo) while (nEntries--) { part_start = offset; - HeadersLen = tvb_get_guintvar (tvb, offset, &count); + HeadersLen = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); offset += count; - DataLen = tvb_get_guintvar (tvb, offset, &count); + DataLen = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); offset += count; ti = proto_tree_add_uint(sub_tree, hf_wsp_mpart, tvb, part_start, @@ -7157,6 +7158,7 @@ proto_register_wsp(void) { &ei_wsp_undecoded_parameter, { "wsp.undecoded_parameter", PI_UNDECODED, PI_WARN, "Invalid parameter value", EXPFILL }}, { &ei_wsp_trailing_quote, { "wsp.trailing_quote", PI_PROTOCOL, PI_WARN, "Quoted-string value has been encoded with a trailing quote", EXPFILL }}, { &ei_wsp_header_invalid, { "wsp.header_invalid", PI_MALFORMED, PI_ERROR, "Malformed header", EXPFILL }}, + { &ei_wsp_oversized_uintvar, { "wsp.oversized_uintvar", PI_MALFORMED, PI_ERROR, "Uintvar is oversized", EXPFILL }} }; expert_module_t* expert_wsp;