diff options
author | Pascal Quantin <pascal.quantin@gmail.com> | 2015-11-28 11:45:24 +0100 |
---|---|---|
committer | Pascal Quantin <pascal.quantin@gmail.com> | 2015-11-28 12:40:09 +0000 |
commit | 644bc7868dda0717f7e49ec01e07e0043f7385fb (patch) | |
tree | 3bfddeb838e6e5d2788649a7e4743f969a12d75f | |
parent | a6e8fc8c9af56124d44423c3a85c695ac01c70e7 (diff) | |
download | wireshark-644bc7868dda0717f7e49ec01e07e0043f7385fb.tar.gz |
Diameter: check IPv6 prefix length before copying it in e_in6_addr structure
Bug: 11792
Change-Id: I37a07044d40f10e9a1a90025d90753fdb3db2278
Reviewed-on: https://code.wireshark.org/review/12248
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
(cherry picked from commit aaa28a9d39158ca1033bbd3372cf423abbf4f202)
Reviewed-on: https://code.wireshark.org/review/12252
-rw-r--r-- | epan/dissectors/packet-diameter.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/epan/dissectors/packet-diameter.c b/epan/dissectors/packet-diameter.c index b88fb4d2ee..dfb76ab223 100644 --- a/epan/dissectors/packet-diameter.c +++ b/epan/dissectors/packet-diameter.c @@ -293,6 +293,7 @@ static expert_field ei_diameter_avp_pad = EI_INIT; static expert_field ei_diameter_code = EI_INIT; static expert_field ei_diameter_avp_code = EI_INIT; static expert_field ei_diameter_avp_vendor_id = EI_INIT; +static expert_field ei_diameter_invalid_ipv6_prefix_len = EI_INIT; /* Tap for Diameter */ static int diameter_tap = -1; @@ -425,11 +426,15 @@ dissect_diameter_base_framed_ipv6_prefix(tvbuff_t *tvb, packet_info *pinfo _U_, diam_sub_dis_t *diam_sub_dis = (diam_sub_dis_t*)data; guint8 prefix_len, prefix_len_bytes; /*diam_sub_dis_t *diam_sub_dis_inf = (diam_sub_dis_t*)data;*/ + proto_item *pi; proto_tree_add_item(tree, hf_framed_ipv6_prefix_reserved, tvb, 0, 1, ENC_BIG_ENDIAN); - proto_tree_add_item(tree, hf_framed_ipv6_prefix_length, tvb, 1, 1, ENC_BIG_ENDIAN); + pi = proto_tree_add_item(tree, hf_framed_ipv6_prefix_length, tvb, 1, 1, ENC_BIG_ENDIAN); prefix_len = tvb_get_guint8(tvb, 1); + if (prefix_len > 128) { + expert_add_info(pinfo, pi, &ei_diameter_invalid_ipv6_prefix_len); + } prefix_len_bytes = prefix_len / 8; if (prefix_len % 8) prefix_len_bytes++; @@ -439,7 +444,7 @@ dissect_diameter_base_framed_ipv6_prefix(tvbuff_t *tvb, packet_info *pinfo _U_, /* If we have a fully IPv6 address, display it as such */ if (prefix_len_bytes == 16){ proto_tree_add_item(tree, hf_framed_ipv6_prefix_ipv6, tvb, 2, prefix_len_bytes, ENC_NA); - }else{ + } else if (prefix_len_bytes < 16) { struct e_in6_addr value; memset(&value.bytes, 0, sizeof(value)); @@ -2047,6 +2052,7 @@ real_proto_register_diameter(void) { &ei_diameter_application_id, { "diameter.applicationId.unknown", PI_UNDECODED, PI_WARN, "Unknown Application Id, if you know what this is you can add it to dictionary.xml", EXPFILL }}, { &ei_diameter_version, { "diameter.version.unknown", PI_UNDECODED, PI_WARN, "Unknown Diameter Version (decoding as RFC 3588)", EXPFILL }}, { &ei_diameter_code, { "diameter.cmd.code.unknown", PI_UNDECODED, PI_WARN, "Unknown command, if you know what this is you can add it to dictionary.xml", EXPFILL }}, + { &ei_diameter_invalid_ipv6_prefix_len, { "diameter.invalid_ipv6_prefix_len", PI_MALFORMED, PI_ERROR, "Invalid IPv6 Prefix length", EXPFILL }} }; wmem_array_append(build_dict.hf, hf_base, array_length(hf_base)); |