osmocom
/
wireshark
14
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

packet-epl.c: Fix bounds error on malformed packet 

dissect_epl_payload is called with len retrieved from the packet payload,
so we've to ensure there are indeed at least len bytes remaining in the tvbuff.

Counting the remaining bytes has to start from the _current_ offset, not from
the start of the buffer.

Change-Id: I6f4a94e8503cde6c5eaadc43f560c15ef8c1c375
Reviewed-on: https://code.wireshark.org/review/21829
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Roland Knall <rknall@gmail.com>
This commit is contained in:
Ahmad Fatoum 2017-05-30 22:25:23 +02:00 committed by Roland Knall
parent 7f96ffe5d4
commit 855a05cd1e
1 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
epan/dissectors/packet-epl.c
View File

@ -1928,21 +1928,19 @@ decode_epl_address (guchar adr)
static gint
dissect_epl_payload ( proto_tree *epl_tree, tvbuff_t *tvb, packet_info *pinfo, gint offset, gint len, guint8 msgType )
{
gint off = 0, rem_len = 0, pld_rem_len = 0;
gint rem_len = 0, payload_len = 0;
tvbuff_t * payload_tvb = NULL;
heur_dtbl_entry_t *hdtbl_entry = NULL;
proto_item * item = NULL;
off = offset;
if (len > 0)
{
rem_len = tvb_captured_length_remaining(tvb, 0);
payload_tvb = tvb_new_subset_length(tvb, off, len > rem_len ? rem_len : len);
pld_rem_len = tvb_captured_length_remaining(payload_tvb, 0);
if ( pld_rem_len < len )
rem_len = tvb_captured_length_remaining(tvb, offset);
payload_tvb = tvb_new_subset_length(tvb, offset, MIN(len, rem_len));
payload_len = tvb_captured_length_remaining(payload_tvb, 0);
if ( payload_len < len )
{
item = proto_tree_add_uint(epl_tree, hf_epl_payload_real, tvb, off, pld_rem_len, pld_rem_len);
item = proto_tree_add_uint(epl_tree, hf_epl_payload_real, tvb, offset, payload_len, payload_len);
PROTO_ITEM_SET_GENERATED(item);
expert_add_info(pinfo, item, &ei_real_length_differs );
}
@ -1950,10 +1948,10 @@ dissect_epl_payload ( proto_tree *epl_tree, tvbuff_t *tvb, packet_info *pinfo, g
if ( ! dissector_try_heuristic(heur_epl_data_subdissector_list, payload_tvb, pinfo, epl_tree, &hdtbl_entry, &msgType))
call_data_dissector(payload_tvb, pinfo, epl_tree);
off += len;
offset += payload_len;
}
return off;
return offset;
}
gint