diff options
| author | Michael Mann <mmann78@netscape.net> | 2017-01-24 22:40:07 -0500 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2017-01-25 11:01:23 +0000 |
| commit | cfe7b85b86455e1d62f4c914836ee5baf18831d4 (patch) | |
| tree | 3b84921bc162946dca4f1992f897b20add284de5 | |
| parent | 29d0f40d44d21f539f8d0a94725812cdb9a9435d (diff) | |
| download | wireshark-cfe7b85b86455e1d62f4c914836ee5baf18831d4.tar.gz | |
wsp: Sanity check capability length
Bug: 13348
Change-Id: I64abc79475087f1c971419629b5c86e646123f3f
Reviewed-on: https://code.wireshark.org/review/19776
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
| -rw-r--r-- | epan/dissectors/packet-wsp.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/epan/dissectors/packet-wsp.c b/epan/dissectors/packet-wsp.c index 45ba624ac7..27718ae249 100644 --- a/epan/dissectors/packet-wsp.c +++ b/epan/dissectors/packet-wsp.c @@ -372,6 +372,7 @@ static int ett_te_value = -1; static int ett_openwave_default = -1; static expert_field ei_wsp_capability_invalid = EI_INIT; +static expert_field ei_wsp_capability_length_invalid = EI_INIT; static expert_field ei_wsp_capability_encoding_invalid = EI_INIT; static expert_field ei_wsp_text_field_invalid = EI_INIT; static expert_field ei_wsp_header_invalid_value = EI_INIT; @@ -4631,6 +4632,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, tvbuff_t *tmp_tvb; int found_match; heur_dtbl_entry_t *hdtbl_entry; + proto_item* ti; /* Set up structures we will need to add the protocol subtree and manage it */ proto_item *proto_ti = NULL; /* for the proto entry */ @@ -4716,9 +4718,14 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, } count = 0; /* Initialise count */ capabilityLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); - proto_tree_add_uint (wsp_tree, hf_capabilities_length, + ti = proto_tree_add_uint (wsp_tree, hf_capabilities_length, tvb, offset, count, capabilityLength); offset += count; + if (capabilityLength > tvb_reported_length(tvb)) + { + expert_add_info(pinfo, ti, &ei_wsp_capability_length_invalid); + break; + } if (pdut != WSP_PDU_RESUME) { @@ -7150,6 +7157,7 @@ proto_register_wsp(void) static ei_register_info ei[] = { { &ei_wsp_capability_invalid, { "wsp.capability.invalid", PI_PROTOCOL, PI_WARN, "Invalid capability", EXPFILL }}, + { &ei_wsp_capability_length_invalid, { "wsp.capabilities.length.invalid", PI_PROTOCOL, PI_WARN, "Invalid capability length", EXPFILL }}, { &ei_wsp_capability_encoding_invalid, { "wsp.capability_encoding.invalid", PI_PROTOCOL, PI_WARN, "Invalid capability encoding", EXPFILL }}, { &ei_wsp_text_field_invalid, { "wsp.text_field_invalid", PI_PROTOCOL, PI_WARN, "Text field invalid", EXPFILL }}, { &ei_wsp_invalid_parameter_value, { "wsp.invalid_parameter_value", PI_PROTOCOL, PI_WARN, "Invalid parameter value", EXPFILL }}, |