DHCPv6: catch the NTP server suboptions being longer than the whole packet
A router here sends the type and length of suboptions of the NTP Server option in dhcpv6 replies in little endian. So the NTP Server option looks like: 01:00:10:00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:ff:fe:xx:xx:xx instead of 00:01:00:10:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:ff:fe:xx:xx:xx . This makes the dissector throw an exception "Malformed Packet" which results in the following options not being dissected. So check the suboption's length before adding the subtree. This improves diagnostics ("suboption too long" instead of "Malformed Packet") and results in the suboptions after the bogus one being parsed. Bug: 15542 Change-Id: Ifbafc23b3dbb7ca389b89936e9d1d15ecc82396e Reviewed-on: https://code.wireshark.org/review/32223 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Dario Lombardo <lomato@gmail.com>
This commit is contained in:
parent
1cbcc57e0a
commit
acb406ff34
|
@ -1496,6 +1496,10 @@ dhcpv6_option(tvbuff_t *tvb, packet_info *pinfo, proto_tree *bp_tree,
|
|||
while (optlen > temp_optlen) {
|
||||
subopt_type = tvb_get_ntohs(tvb, off + temp_optlen);
|
||||
subopt_len = tvb_get_ntohs(tvb, off + 2 + temp_optlen);
|
||||
if (subopt_len > optlen - temp_optlen) {
|
||||
expert_add_info_format(pinfo, option_item, &ei_dhcpv6_malformed_option, "NFS Server: suboption too long");
|
||||
break;
|
||||
}
|
||||
subtree_2 = proto_tree_add_subtree(subtree, tvb, off+temp_optlen, 4 + subopt_len, ett_dhcpv6_netserver_option, &ti,
|
||||
val_to_str(subopt_type, ntp_server_opttype_vals, "NTP Server suboption %u"));
|
||||
proto_tree_add_item(subtree_2, hf_option_ntpserver_type, tvb, off + temp_optlen, 2, ENC_BIG_ENDIAN);
|
||||
|
|
Loading…
Reference in New Issue