diff options
| author | Gerald Combs <gerald@wireshark.org> | 2017-01-23 10:09:33 -0800 |
|---|---|---|
| committer | Gerald Combs <gerald@wireshark.org> | 2017-01-23 19:21:42 +0000 |
| commit | 57894f741f7cc98b46c9fdce7eee8256d2a4ae3f (patch) | |
| tree | 7d126de6728aef943063d5b84aa6db36fd44e05c | |
| parent | 9cece7c081c476020ebec28934b72f04fe39d1d1 (diff) | |
| download | wireshark-57894f741f7cc98b46c9fdce7eee8256d2a4ae3f.tar.gz | |
DHCPv6: Avoid integer overflows.
Count using ints instead of guint16s.
Make sure dissect_packetcable_ccc_option and
dissect_packetcable_cccV6_option return positive values while we're
here.
Bug: 13345
Change-Id: Ic303ddc266f46ee3144e079731742c85808faf37
Reviewed-on: https://code.wireshark.org/review/19747
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
| -rw-r--r-- | epan/dissectors/packet-dhcpv6.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/epan/dissectors/packet-dhcpv6.c b/epan/dissectors/packet-dhcpv6.c index 0608a5b1dc..2a4de6d521 100644 --- a/epan/dissectors/packet-dhcpv6.c +++ b/epan/dissectors/packet-dhcpv6.c @@ -854,7 +854,7 @@ dissect_packetcable_ccc_option(proto_tree *v_tree, proto_item *v_item, packet_in /* There must be at least five octets left to be a valid sub element */ if (optend <= 0) { expert_add_info_format(pinfo, v_item, &ei_dhcpv6_no_suboption_len, "Sub element %d: no room left in option for suboption length", subopt); - return (optend); + return (suboptoff - optoff); } /* g_print("dissect packetcable ccc option subopt_len=%d optend=%d\n\n", subopt_len, optend); */ @@ -978,7 +978,7 @@ dissect_packetcable_cccV6_option(proto_tree *v_tree, proto_item *v_item, packet_ /* There must be at least five octets left to be a valid sub element */ if (optend <= 0) { expert_add_info_format(pinfo, v_item, &ei_dhcpv6_no_suboption_len, "Sub element %d: no room left in option for suboption length", subopt); - return (optend); + return (suboptoff - optoff); } vti = proto_tree_add_item(v_tree, hf_packetcable_cccV6_suboption, tvb, optoff, 2, ENC_BIG_ENDIAN); @@ -1092,21 +1092,21 @@ dissect_packetcable_cccV6_option(proto_tree *v_tree, proto_item *v_item, packet_ static void dissect_cablelabs_specific_opts(proto_tree *v_tree, proto_item *v_item, packet_info *pinfo, tvbuff_t *tvb, int voff, int len) { - guint16 type, - tlv_len, /* holds the number of elements in the tlv */ - opt_len, /* holds the length of the suboption */ - sub_value; + guint type, + sub_value; proto_item *ti; proto_item *ti2; proto_tree *subtree; proto_tree *subtree2; - gint tlv5_cap_index, - tlv5_counter, - tlv5_cap_len; + int tlv5_cap_index, + tlv5_counter, + tlv5_cap_len; int off = voff, sub_off, /** The offset for the sub-option */ i, + tlv_len, /* holds the number of elements in the tlv */ field_len, /* holds the length of one occurrence of a field */ + opt_len, /* holds the length of the suboption */ field_value; gchar *device_type = NULL; |