osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

opcua: add missing opcua_nested_count decrement 

Nest testing was added in I5f6da3a3e269f6db1b690b77470ddf60045bcedd as
a reaction to CVE-2018-12086. In this changed there was only nest
increment without decrement.

Bug: 15226
Change-Id: I178fad4be1106c8da23351220c95c85274bddc30
Reviewed-on: https://code.wireshark.org/review/30285
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
This commit is contained in:
Jiří Engelthaler 2018-10-20 20:30:27 +02:00 committed by Michael Mann
parent aed46e7eb1
commit b8b8275227
1 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
plugins/epan/opcua/opcua_simpletypes.c
View File

@ -814,11 +814,12 @@ void parseDiagnosticInfo(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gi
/* prevent a too high nesting depth */
opcua_nested_count = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_opcua, 0));
if (++opcua_nested_count > MAX_NESTING_DEPTH)
if (opcua_nested_count >= MAX_NESTING_DEPTH)
{
expert_add_info(pinfo, ti, &ei_nesting_depth);
return;
}
opcua_nested_count++;
p_add_proto_data(pinfo->pool, pinfo, proto_opcua, 0, GUINT_TO_POINTER(opcua_nested_count));
/* parse encoding mask */
@ -857,6 +858,9 @@ void parseDiagnosticInfo(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gi
proto_item_set_end(ti, tvb, iOffset);
*pOffset = iOffset;
opcua_nested_count--;
p_add_proto_data(pinfo->pool, pinfo, proto_opcua, 0, GUINT_TO_POINTER(opcua_nested_count));
}
void parseQualifiedName(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gint *pOffset, const char *szFieldName)
@ -932,11 +936,12 @@ void parseVariant(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gint *pOf
/* prevent a too high nesting depth */
opcua_nested_count = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_opcua, 0));
if (++opcua_nested_count > MAX_NESTING_DEPTH)
if (opcua_nested_count >= MAX_NESTING_DEPTH)
{
expert_add_info(pinfo, ti, &ei_nesting_depth);
return;
}
opcua_nested_count++;
p_add_proto_data(pinfo->pool, pinfo, proto_opcua, 0, GUINT_TO_POINTER(opcua_nested_count));
EncodingMask = tvb_get_guint8(tvb, iOffset);
@ -1037,6 +1042,9 @@ void parseVariant(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gint *pOf
proto_item_set_end(ti, tvb, iOffset);
*pOffset = iOffset;
opcua_nested_count--;
p_add_proto_data(pinfo->pool, pinfo, proto_opcua, 0, GUINT_TO_POINTER(opcua_nested_count));
}
/** General parsing function for arrays of simple types.
@ -1200,11 +1208,12 @@ void parseExtensionObject(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, g
/* prevent a too high nesting depth */
opcua_nested_count = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_opcua, 0));
if (++opcua_nested_count > MAX_NESTING_DEPTH)
if (opcua_nested_count >= MAX_NESTING_DEPTH)
{
expert_add_info(pinfo, ti, &ei_nesting_depth);
return;
}
opcua_nested_count++;
p_add_proto_data(pinfo->pool, pinfo, proto_opcua, 0, GUINT_TO_POINTER(opcua_nested_count));
/* add nodeid subtree */
@ -1223,6 +1232,9 @@ void parseExtensionObject(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, g
proto_item_set_end(ti, tvb, iOffset);
*pOffset = iOffset;
opcua_nested_count--;
p_add_proto_data(pinfo->pool, pinfo, proto_opcua, 0, GUINT_TO_POINTER(opcua_nested_count));
}
void parseExpandedNodeId(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gint *pOffset, const char *szFieldName)