osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Make sure the offset doesn't overflow. 

It'd only overflow if the value is *so* large that it won't fit in the
packet (given that we have a 2^32-1-byte limit on the packet size), so
use tvb_ensure_bytes_exist() to ensure we have the entire value before
processing the value.

(The real problem is that we don't handle the case where there's a value
multiplicity > 1 for some types; in those cases, we should loop,
processing all the values, which would cause us to eventually throw an
exception when we ran past the end of the packet.  This is just a quick
fix.)

Bug: 14742
Change-Id: I447ece81d1c84d3b1d218faeb2c155f910208c29
Reviewed-on: https://code.wireshark.org/review/27853
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This commit is contained in:
Guy Harris 2018-05-27 19:42:35 -07:00
parent 101b692569
commit 25118898a9
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
epan/dissectors/packet-dcm.c
View File

@ -5758,6 +5758,11 @@ dissect_dcm_tag_value(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, dcm_s
guint encoding = (pdv->syntax == DCM_EBE) ? ENC_BIG_ENDIAN : ENC_LITTLE_ENDIAN;
/* Make sure we have all the bytes of the item; this should throw
and exception if vl_max is so large that it causes the offset
to overflow. */
tvb_ensure_bytes_exist(tvb, offset, vl_max);
/* ---------------------------------------------------------------------------
Potentially long types. Obey vl_max
---------------------------------------------------------------------------