QUIC: Fix some issue (Malformed frame) with handshake heuristics

Need to check if there is data before get a value... Change-Id: I45592e9a2c55a5bce57a40f7e3153e8f540ca316 Reviewed-on: https://code.wireshark.org/review/10636 Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
2015-09-24 10:56:23 +02:00 · 2015-09-24 10:56:23 +02:00 · af0e93c056
parent fea2e4aaf8
commit af0e93c056
1 changed files with 11 additions and 4 deletions
--- a/epan/dissectors/packet-quic.c
+++ b/epan/dissectors/packet-quic.c
@ -553,6 +553,9 @@ static gboolean is_quic_handshake(tvbuff_t *tvb, guint offset, guint16 len_seq){
                    /* Error Code */
                    offset += 4;
                    /* Reason Phrase Length */
+                    if (tvb_captured_length_remaining(tvb, offset) <= 2){
+                        return FALSE;
+                    }
                    len_reason = tvb_get_ntohs(tvb, offset);
                    offset += 2;
                    /* Reason Phrase */
@ -567,6 +570,9 @@ static gboolean is_quic_handshake(tvbuff_t *tvb, guint offset, guint16 len_seq){
                    /* Last Good Stream ID */
                    offset += 4;
                    /* Reason Phrase Length */
+                    if (tvb_captured_length_remaining(tvb, offset) <= 2){
+                        return FALSE;
+                    }
                    len_reason = tvb_get_ntohs(tvb, offset);
                    offset += 2;
                    /* Reason Phrase */
@ -615,7 +621,8 @@ static gboolean is_quic_handshake(tvbuff_t *tvb, guint offset, guint16 len_seq){

                /* Data length */
                offset += len_data;
-                if ( tvb_captured_length(tvb) <= offset){
+
+                if (tvb_captured_length_remaining(tvb, offset) <= 4){
                    return FALSE;
                }

@ -645,7 +652,7 @@ static gboolean is_quic_handshake(tvbuff_t *tvb, guint offset, guint16 len_seq){
                offset += 2;

                /* Num Timestamp */
-                if ( tvb_captured_length(tvb) <= offset){
+                if (tvb_captured_length_remaining(tvb, offset) <= 1){
                    return FALSE;
                }
                num_timestamp = tvb_get_guint8(tvb, offset);
@ -664,7 +671,7 @@ static gboolean is_quic_handshake(tvbuff_t *tvb, guint offset, guint16 len_seq){

                if(frame_type & FTFLAGS_ACK_N){
                    /* Num Ranges */
-                    if ( tvb_captured_length(tvb) <= offset){
+                    if (tvb_captured_length_remaining(tvb, offset) <= 1){
                        return FALSE;
                    }
                    num_ranges = tvb_get_guint8(tvb, offset);
@ -674,7 +681,7 @@ static gboolean is_quic_handshake(tvbuff_t *tvb, guint offset, guint16 len_seq){
                    offset += num_ranges*(len_missing_packet+1);

                    /* Num Revived */
-                    if ( tvb_captured_length(tvb) <= offset){
+                    if (tvb_captured_length_remaining(tvb, offset) <= 1){
                        return FALSE;
                    }
                    num_revived = tvb_get_guint8(tvb, offset);