osmocom
/
wireshark
14
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7801 : 

Ensure that the sub-type length is at least 2 (for sub-type and length fields).
Prevents an infinite loop when the length equals 0.

svn path=/trunk/; revision=45337
This commit is contained in:
Pascal Quantin 2012-10-06 10:01:59 +00:00
parent 0e32b4e2ef
commit 75dd452b24
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
epan/dissectors/packet-3g-a11.c
View File

@ -44,6 +44,7 @@
#include <glib.h>
#include <epan/packet.h>
#include <epan/expert.h>
/* Include vendor id translation */
#include <epan/sminmpec.h>
@ -612,10 +613,11 @@ dissect_a11_radius( tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *t
/* X.S0011-005-D v2.0 Service Option Profile */
static const gchar *
dissect_3gpp2_service_option_profile(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo _U_)
dissect_3gpp2_service_option_profile(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo)
{
int offset = 0;
guint8 sub_type, sub_type_length;
proto_item *pi;
/* Maximum service connections/Link Flows total 32 bit*/
proto_tree_add_item(tree, hf_a11_serv_opt_prof_max_serv, tvb, offset, 4, ENC_BIG_ENDIAN);
@ -627,8 +629,12 @@ dissect_3gpp2_service_option_profile(proto_tree *tree, tvbuff_t *tvb, packet_i
sub_type = tvb_get_guint8(tvb,offset);
proto_tree_add_item(tree, hf_a11_sub_type, tvb, offset, 1, ENC_BIG_ENDIAN);
offset++;
proto_tree_add_item(tree, hf_a11_sub_type_length, tvb, offset, 1, ENC_BIG_ENDIAN);
pi = proto_tree_add_item(tree, hf_a11_sub_type_length, tvb, offset, 1, ENC_BIG_ENDIAN);
offset++;
if (sub_type_length < 2) {
expert_add_info_format(pinfo, pi, PI_PROTOCOL, PI_WARN, "Sub-Type Length should be at least 2");
sub_type_length = 2;
}
if (sub_type==1){
proto_tree_add_item(tree, hf_a11_serv_opt, tvb, offset, 1, ENC_BIG_ENDIAN);
offset++;
@ -672,7 +678,11 @@ dissect_3gpp2_radius_aut_flow_profile_ids(proto_tree *tree, tvbuff_t *tvb, pac
proto_tree_add_item(sub_tree, hf_a11_aut_flow_prof_sub_type, tvb, offset, 1, ENC_BIG_ENDIAN);
offset++;
proto_tree_add_item(sub_tree, hf_a11_aut_flow_prof_sub_type_len, tvb, offset, 1, ENC_BIG_ENDIAN);
item = proto_tree_add_item(sub_tree, hf_a11_aut_flow_prof_sub_type_len, tvb, offset, 1, ENC_BIG_ENDIAN);
if (sub_type_length < 2) {
expert_add_info_format(pinfo, item, PI_PROTOCOL, PI_WARN, "Sub-Type Length should be at least 2");
sub_type_length = 2;
}
offset++;
proto_tree_add_item(sub_tree, hf_a11_aut_flow_prof_sub_type_value, tvb, offset, 2, ENC_BIG_ENDIAN);