osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

DHCPv6: Avoid integer overflows. 

Count using ints instead of guint16s.

Make sure dissect_packetcable_ccc_option and
dissect_packetcable_cccV6_option return positive values while we're
here.

Bug: 13345
Change-Id: Ic303ddc266f46ee3144e079731742c85808faf37
Reviewed-on: https://code.wireshark.org/review/19747
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
This commit is contained in:
Gerald Combs 2017-01-23 10:09:33 -08:00
parent 9cece7c081
commit 57894f741f
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
epan/dissectors/packet-dhcpv6.c
View File

@ -854,7 +854,7 @@ dissect_packetcable_ccc_option(proto_tree *v_tree, proto_item *v_item, packet_in
/* There must be at least five octets left to be a valid sub element */
if (optend <= 0) {
expert_add_info_format(pinfo, v_item, &ei_dhcpv6_no_suboption_len, "Sub element %d: no room left in option for suboption length", subopt);
return (optend);
return (suboptoff - optoff);
}
/* g_print("dissect packetcable ccc option subopt_len=%d optend=%d\n\n", subopt_len, optend); */
@ -978,7 +978,7 @@ dissect_packetcable_cccV6_option(proto_tree *v_tree, proto_item *v_item, packet_
/* There must be at least five octets left to be a valid sub element */
if (optend <= 0) {
expert_add_info_format(pinfo, v_item, &ei_dhcpv6_no_suboption_len, "Sub element %d: no room left in option for suboption length", subopt);
return (optend);
return (suboptoff - optoff);
}
vti = proto_tree_add_item(v_tree, hf_packetcable_cccV6_suboption, tvb, optoff, 2, ENC_BIG_ENDIAN);
@ -1092,21 +1092,21 @@ dissect_packetcable_cccV6_option(proto_tree *v_tree, proto_item *v_item, packet_
static void
dissect_cablelabs_specific_opts(proto_tree *v_tree, proto_item *v_item, packet_info *pinfo, tvbuff_t *tvb, int voff, int len)
{
guint16 type,
tlv_len, /* holds the number of elements in the tlv */
opt_len, /* holds the length of the suboption */
sub_value;
guint type,
sub_value;
proto_item *ti;
proto_item *ti2;
proto_tree *subtree;
proto_tree *subtree2;
gint tlv5_cap_index,
tlv5_counter,
tlv5_cap_len;
int tlv5_cap_index,
tlv5_counter,
tlv5_cap_len;
int off = voff,
sub_off, /** The offset for the sub-option */
i,
tlv_len, /* holds the number of elements in the tlv */
field_len, /* holds the length of one occurrence of a field */
opt_len, /* holds the length of the suboption */
field_value;
gchar *device_type = NULL;