AMQP: fix a stack overflow when offset goes back and forth

Previous code assumed that list decoding was successful and that some bytes were consumed. Let's explicitly check this. Bug: 13780 Change-Id: I3546b093f309f2b8096f01bc9987ac5ad9e029eb Reviewed-on: https://code.wireshark.org/review/22235 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2017-06-19 21:23:47 +02:00 · 2017-06-19 21:23:47 +02:00 · 246cbbc2ea
parent bb58b3a264
commit 246cbbc2ea
1 changed files with 7 additions and 1 deletions
--- a/epan/dissectors/packet-amqp.c
+++ b/epan/dissectors/packet-amqp.c
@ -9978,7 +9978,13 @@ get_amqp_1_0_value_formatter(tvbuff_t *tvb,
                                                     item,
                                                     hf_amqp_type,
                                                     hf_amqp_subtype_count,
-                                                     hf_amqp_subtypes, name)-1; /* "-1" due to decode type again in the method */
+                                                     hf_amqp_subtypes, name);
+                if (*length_size == 0) {
+                    /* something went wrong during list dissection; let's stop here */
+                    *length_size = tvb_reported_length_remaining(tvb, offset);
+                } else {
+                    *length_size -= 1; /* "-1" due to decode type again in the method */
+                }
                break;
            case AMQP_1_0_TYPE_MAP8:
            case AMQP_1_0_TYPE_MAP32: