osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

ENRP: Check for invalid parameter & error cause lengths 

The value in the length field in ENRP parameters and error causes
include the length and types, and must be at least 4. In particular,
not erring on zero can cause an infinite loop.

https://datatracker.ietf.org/doc/html/rfc5354

Fix #19674
This commit is contained in:
John Thacker 2024-02-27 09:02:55 -05:00
parent 49d15ea4e8
commit 84ffa648ea
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
epan/dissectors/packet-enrp.c
View File

@ -102,6 +102,7 @@ static guint64 enrp_total_msgs = 0;
static guint64 enrp_total_bytes = 0;
static expert_field ei_enrp_max_recursion_depth_reached;
static expert_field ei_enrp_invalid_length;
static void
dissect_parameters(tvbuff_t *, packet_info *, proto_tree *);
@ -206,6 +207,12 @@ dissect_error_causes(tvbuff_t *error_causes_tvb, packet_info *pinfo, proto_tree
offset = 0;
while(tvb_reported_length_remaining(error_causes_tvb, offset) > 0) {
length = tvb_get_ntohs(error_causes_tvb, offset + CAUSE_LENGTH_OFFSET);
if (length < 4) {
proto_tree_add_expert_format(parameter_tree, pinfo, &ei_enrp_invalid_length,
error_causes_tvb, offset + CAUSE_LENGTH_OFFSET, 2,
"Error cause length must be at least 4 bytes");
return;
}
total_length = WS_ROUNDUP_4(length);
error_cause_tvb = tvb_new_subset_length(error_causes_tvb, offset, total_length);
dissect_error_cause(error_cause_tvb, pinfo, parameter_tree);
@ -539,6 +546,11 @@ dissect_parameters(tvbuff_t *parameters_tvb, packet_info *pinfo, proto_tree *tre
offset = 0;
while((remaining_length = tvb_reported_length_remaining(parameters_tvb, offset)) > 0) {
length = tvb_get_ntohs(parameters_tvb, offset + PARAMETER_LENGTH_OFFSET);
if (length < 4) {
proto_tree_add_expert(tree, pinfo, &ei_enrp_invalid_length,
parameters_tvb, offset + PARAMETER_LENGTH_OFFSET, 2);
return;
}
total_length = WS_ROUNDUP_4(length);
if (remaining_length >= length)
total_length = MIN(total_length, remaining_length);
@ -1140,7 +1152,9 @@ proto_register_enrp(void)
static ei_register_info ei[] = {
{ &ei_enrp_max_recursion_depth_reached, { "enrp.max_recursion_depth_reached",
PI_PROTOCOL, PI_WARN, "Maximum allowed recursion depth reached - stop decoding", EXPFILL }}
PI_PROTOCOL, PI_WARN, "Maximum allowed recursion depth reached - stop decoding", EXPFILL }},
{ &ei_enrp_invalid_length, { "enrp.invalid_length",
PI_MALFORMED, PI_ERROR, "Parameter length must be at least 4 bytes", EXPFILL }}
};
static tap_param enrp_stat_params[] = {