osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

GTPv2: fix dissection of APN IE 

The total maximum length of the APN with Network Identifier and Operator
Identifier is 100 bytes.

Bug: 15383
Change-Id: Ib74eac1f18f2235c2788e58370f50eeb9a678357
Reviewed-on: https://code.wireshark.org/review/31225
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
This commit is contained in:
Pascal Quantin 2018-12-28 10:38:44 +01:00 committed by Michael Mann
parent 4b3cd73de2
commit 6180d0fdaa
1 changed files with 29 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
epan/dissectors/packet-gtpv2.c
View File

@ -696,6 +696,7 @@ static expert_field ei_gtpv2_mbms_session_duration_days = EI_INIT;
static expert_field ei_gtpv2_mbms_session_duration_secs = EI_INIT;
static expert_field ei_gtpv2_ie = EI_INIT;
static expert_field ei_gtpv2_int_size_not_handled = EI_INIT;
static expert_field ei_gtpv2_apn_too_long = EI_INIT;
/* Definition of User Location Info (AVP 22) masks */
#define GTPv2_ULI_CGI_MASK 0x01
@ -1990,21 +1991,20 @@ dissect_gtpv2_apn(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, proto
int name_len, tmp;
if (length > 0) {
name_len = tvb_get_guint8(tvb, offset);
proto_item *pi;
if (name_len < 0x20) {
apn = tvb_get_string_enc(wmem_packet_scope(), tvb, offset + 1, length - 1, ENC_ASCII);
for (;;) {
if (name_len >= length - 1)
break;
tmp = name_len;
name_len = name_len + apn[tmp] + 1;
apn[tmp] = '.';
}
} else{
apn = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, length, ENC_ASCII);
name_len = tvb_get_guint8(tvb, offset);
apn = tvb_get_string_enc(wmem_packet_scope(), tvb, offset + 1, length - 1, ENC_ASCII);
for (;;) {
if (name_len >= length - 1)
break;
tmp = name_len;
name_len = name_len + apn[tmp] + 1;
apn[tmp] = '.';
}
proto_tree_add_string(tree, hf_gtpv2_apn, tvb, offset, length, apn);
pi = proto_tree_add_string(tree, hf_gtpv2_apn, tvb, offset, length, apn);
if (length > 100)
expert_add_info(pinfo, pi, &ei_gtpv2_apn_too_long);
}
if (apn)
@ -6771,29 +6771,22 @@ dissect_gtpv2_apn_and_relative_capacity(tvbuff_t *tvb, packet_info *pinfo _U_, p
proto_tree_add_item(tree, hf_gtpv2_apn_length, tvb, offset, 1, ENC_BIG_ENDIAN);
offset += 1;
if (apn_length > 0)
{
if (apn_length > 0) {
proto_item *pi;
name_len = tvb_get_guint8(tvb, offset);
if (name_len < 0x20)
{
apn = tvb_get_string_enc(wmem_packet_scope(), tvb, offset + 1, apn_length - 1, ENC_ASCII);
for (;;)
{
if (name_len >= apn_length - 1)
break;
tmp = name_len;
name_len = name_len + apn[tmp] + 1;
apn[tmp] = '.';
}
}
else
{
apn = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, apn_length, ENC_ASCII);
}
proto_tree_add_string(tree, hf_gtpv2_apn, tvb, offset, apn_length, apn);
apn = tvb_get_string_enc(wmem_packet_scope(), tvb, offset + 1, apn_length - 1, ENC_ASCII);
for (;;) {
if (name_len >= apn_length - 1)
break;
tmp = name_len;
name_len = name_len + apn[tmp] + 1;
apn[tmp] = '.';
}
pi = proto_tree_add_string(tree, hf_gtpv2_apn, tvb, offset, apn_length, apn);
if (apn_length > 100)
expert_add_info(pinfo, pi, &ei_gtpv2_apn_too_long);
}
}
/*
* 8.117 Paging and Service Information
@ -10217,7 +10210,8 @@ void proto_register_gtpv2(void)
{ &ei_gtpv2_mbms_session_duration_days, { "gtpv2.mbms_session_duration_days.invalid", PI_PROTOCOL, PI_WARN, "Days out of allowed range", EXPFILL }},
{ &ei_gtpv2_mbms_session_duration_secs, { "gtpv2.mbms_session_duration_secs.unknown", PI_PROTOCOL, PI_WARN, "Seconds out of allowed range", EXPFILL }},
{ &ei_gtpv2_ie, { "gtpv2.ie_type.reserved", PI_PROTOCOL, PI_WARN, "IE type Zero is Reserved and should not be used", EXPFILL }},
{ &ei_gtpv2_int_size_not_handled,{ "gtpv2.ie_type.int_size_not_handled", PI_PROTOCOL, PI_WARN, "Integer size not handled yet", EXPFILL } },
{ &ei_gtpv2_int_size_not_handled, { "gtpv2.ie_type.int_size_not_handled", PI_PROTOCOL, PI_WARN, "Integer size not handled yet", EXPFILL } },
{ &ei_gtpv2_apn_too_long, { "gtpv2.apn_too_long", PI_PROTOCOL, PI_WARN, "APN encoding has more than 100 octets", EXPFILL } },
};
expert_module_t* expert_gtpv2;