From David Helder:

The MP_REACH_NLRI (and MP_UNREACH_NLRI) parser incorrectly increments a buffer offset. Any attributes following will be skipped and/or parsed incorrectly. No security problem I see - the bounds are checked before parsing each attribute. svn path=/trunk/; revision=22598
2007-08-23 09:16:31 +00:00 · 2007-08-23 09:16:31 +00:00 · 902737dfff
parent 8f1d57f7ca
commit 902737dfff
1 changed files with 5 additions and 1 deletions
--- a/epan/dissectors/packet-bgp.c
+++ b/epan/dissectors/packet-bgp.c
@ -1507,7 +1507,7 @@ dissect_bgp_update(tvbuff_t *tvb, proto_tree *tree)
 	    const char *msg;
 	    int     off;
 	    gint    k;
-	    guint16 alen, tlen, aoff; 
+	    guint16 alen, tlen, aoff, aoff_save; 
 	    guint16 af;
            guint8  saf, snpa;
 	    guint8  nexthop_len;
@ -2121,6 +2121,7 @@ dissect_bgp_update(tvbuff_t *tvb, proto_tree *tree)
                    break;
                }

+                aoff_save = aoff;
                tlen -= nexthop_len + 4;
                aoff += nexthop_len + 4 ;

@ -2167,6 +2168,7 @@ dissect_bgp_update(tvbuff_t *tvb, proto_tree *tree)
                        }
 		    }
                }
+		aoff = aoff_save;
 		break;
 	   case BGPTYPE_MP_UNREACH_NLRI:
 	        af = tvb_get_ntohs(tvb, o + i + aoff);
@ -2182,6 +2184,7 @@ dissect_bgp_update(tvbuff_t *tvb, proto_tree *tree)
 			tlen - 3, "Withdrawn routes (%u %s)", tlen - 3,
                        (tlen - 3 == 1) ? "byte" : "bytes");

+		aoff_save = aoff;
 		tlen -= 3;
 		aoff += 3;
 		if (tlen > 0) {
@ -2199,6 +2202,7 @@ dissect_bgp_update(tvbuff_t *tvb, proto_tree *tree)
                        aoff += advance;
                    }
                }
+                aoff = aoff_save;
                break;
 	    case BGPTYPE_CLUSTER_LIST:
 		if (tlen % 4 != 0) {