Widen openflow variables and check for underflows

As suggested by Alexis reviewing change Ie76c5a810af927b, this issue was scattered throughout the v4/v5 openflow dissectors. Hopefully I got all of them. Original issue found in bug 10259. Change-Id: Idf87deea34132aec5cd4e8f83264906a29b15568 Reviewed-on: https://code.wireshark.org/review/2878 Reviewed-by: Evan Huus <eapache@gmail.com> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
author: Evan Huus <eapache@gmail.com> 2014-07-06 08:53:48 -0400
committer: Alexis La Goutte <alexis.lagoutte@gmail.com> 2014-07-06 16:53:39 +0000
commit: be4d42c6ab54169c8c027d3b1871a282fd9d0a9d (patch)
tree: 8d1e47e7ccecd1fdd7db3eea54bf390e99f3f8da
parent: 5886e45179844c412c67a226010a12039ebbcc0a (diff)
download: wireshark-be4d42c6ab54169c8c027d3b1871a282fd9d0a9d.tar.gz
2 files changed, 44 insertions, 26 deletions
diff --git a/epan/dissectors/packet-openflow_v4.c b/epan/dissectors/packet-openflow_v4.c
index b45996ca97..5e20c045e3 100644
--- a/epan/dissectors/packet-openflow_v4.c
+++ b/epan/dissectors/packet-openflow_v4.c
@@ -1129,7 +1129,7 @@ dissect_openflow_match_v4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tre
     proto_tree *match_tree;
     guint16 match_type;
     guint16 match_length;
-    guint16 fields_end;
+    gint32 fields_end;
     guint16 pad_length;
 
     match_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v4_match, &ti, "Match");
@@ -1972,7 +1972,7 @@ dissect_openflow_action_v4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tr
     proto_tree *act_tree;
     guint16 act_type;
     guint16 act_length;
-    guint16 act_end;
+    gint32 act_end;
 
     act_type = tvb_get_ntohs(tvb, offset);
     act_length = tvb_get_ntohs(tvb, offset + 2);
@@ -2358,7 +2358,8 @@ static void
 dissect_openflow_packet_out_v4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, guint16 length _U_)
 {
     proto_tree *data_tree;
-    guint16 acts_len, acts_end;
+    guint16 acts_len;
+    gint32 acts_end;
     tvbuff_t *next_tvb;
     gboolean save_writable;
     gboolean save_in_error_pkt;
@@ -2478,7 +2479,7 @@ dissect_openflow_instruction_v4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tre
     proto_tree *inst_tree;
     guint16 inst_type;
     guint16 inst_length;
-    guint16 acts_end;
+    gint32 acts_end;
 
     inst_type = tvb_get_ntohs(tvb, offset);
     inst_length = tvb_get_ntohs(tvb, offset + 2);
@@ -2658,7 +2659,7 @@ dissect_openflow_bucket_v4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tr
     proto_item *ti;
     proto_tree *bucket_tree;
     guint16 bucket_length;
-    guint16 acts_end;
+    gint32 acts_end;
 
     bucket_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v4_bucket, &ti, "Bucket");
 
@@ -2668,6 +2669,10 @@ dissect_openflow_bucket_v4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tr
     proto_tree_add_item(bucket_tree, hf_openflow_v4_bucket_length, tvb, offset, 2, ENC_BIG_ENDIAN);
     offset+=2;
 
+    if (bucket_length < 16) {
+        bucket_length = 16;
+    }
+
     /* uint16_t weight; */
     proto_tree_add_item(bucket_tree, hf_openflow_v4_bucket_weight, tvb, offset, 2, ENC_BIG_ENDIAN);
     offset+=2;
@@ -3098,7 +3103,7 @@ dissect_openflow_table_features_v4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_
     proto_item *ti;
     proto_tree *feat_tree;
     guint16 feat_length;
-    guint16 feat_end;
+    gint32 feat_end;
 
     feat_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v4_table_features, &ti, "Table features");
 
@@ -3403,7 +3408,7 @@ dissect_openflow_flow_stats_v4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree
     proto_item *ti;
     proto_tree *stats_tree, *flags_tree;
     guint16 stats_len;
-    guint16 stats_end;
+    gint32 stats_end;
 
     stats_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v4_flow_stats, &ti, "Flow stats");
 
@@ -3688,7 +3693,7 @@ dissect_openflow_group_stats_v4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tre
     proto_item *ti;
     proto_tree *stats_tree;
     guint16 stats_len;
-    guint16 stats_end;
+    gint32 stats_end;
 
     stats_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v4_group_stats, &ti, "Group stats");
 
@@ -3750,7 +3755,7 @@ dissect_openflow_group_desc_v4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree
     proto_tree *desc_tree;
 
     guint16 desc_len;
-    guint16 desc_end;
+    gint32 desc_end;
 
     desc_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v4_group_desc, &ti, "Group description");
 
@@ -3996,7 +4001,7 @@ dissect_openflow_meter_config_v4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tr
     proto_item *ti;
     proto_tree *conf_tree, *flags_tree;
     guint16 config_len;
-    guint16 config_end;
+    gint32 config_end;
 
     conf_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v4_meter_config, &ti, "Meter config");
 
diff --git a/epan/dissectors/packet-openflow_v5.c b/epan/dissectors/packet-openflow_v5.c
index 22269a5d92..73e3f31fe4 100644
--- a/epan/dissectors/packet-openflow_v5.c
+++ b/epan/dissectors/packet-openflow_v5.c
@@ -1283,7 +1283,7 @@ dissect_openflow_match_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tre
     proto_tree *match_tree;
     guint16 match_type;
     guint16 match_length;
-    guint16 fields_end;
+    gint32 fields_end;
     guint16 pad_length;
 
     match_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v5_match, &ti, "Match");
@@ -2209,7 +2209,7 @@ dissect_openflow_action_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tr
     proto_tree *act_tree;
     guint16 act_type;
     guint16 act_length;
-    guint16 act_end;
+    gint32 act_end;
 
     act_type = tvb_get_ntohs(tvb, offset);
     act_length = tvb_get_ntohs(tvb, offset + 2);
@@ -2743,7 +2743,8 @@ static void
 dissect_openflow_packet_out_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, guint16 length _U_)
 {
     proto_tree *data_tree;
-    guint16 acts_len, acts_end;
+    guint16 acts_len;
+    gint32 acts_end;
     tvbuff_t *next_tvb;
     gboolean save_writable;
     gboolean save_in_error_pkt;
@@ -2863,7 +2864,7 @@ dissect_openflow_instruction_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tre
     proto_tree *inst_tree;
     guint16 inst_type;
     guint16 inst_length;
-    guint16 acts_end;
+    gint32 acts_end;
 
     inst_type = tvb_get_ntohs(tvb, offset);
     inst_length = tvb_get_ntohs(tvb, offset + 2);
@@ -2872,6 +2873,10 @@ dissect_openflow_instruction_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tre
 
     offset = dissect_openflow_instruction_header_v5(tvb, pinfo, inst_tree, offset, length);
 
+    if (inst_length < 8) {
+        inst_length = 8;
+    }
+
     switch (inst_type) {
     case OFPIT_GOTO_TABLE:
         /* uint8_t table_id; */
@@ -3043,7 +3048,7 @@ dissect_openflow_bucket_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tr
     proto_item *ti;
     proto_tree *bucket_tree;
     guint16 bucket_length;
-    guint16 acts_end;
+    gint32 acts_end;
 
     bucket_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v5_bucket, &ti, "Bucket");
 
@@ -3053,6 +3058,10 @@ dissect_openflow_bucket_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tr
     proto_tree_add_item(bucket_tree, hf_openflow_v5_bucket_length, tvb, offset, 2, ENC_BIG_ENDIAN);
     offset+=2;
 
+    if (bucket_length < 16) {
+        bucket_length = 16;
+    }
+
     /* uint16_t weight; */
     proto_tree_add_item(bucket_tree, hf_openflow_v5_bucket_weight, tvb, offset, 2, ENC_BIG_ENDIAN);
     offset+=2;
@@ -3590,7 +3599,7 @@ dissect_openflow_table_feature_prop_v5(tvbuff_t *tvb, packet_info *pinfo _U_, pr
     guint16 prop_type;
     guint16 prop_length;
     guint16 elem_begin;
-    guint16 body_end;
+    gint32 body_end;
     guint16 pad_length;
 
     prop_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v5_table_feature_prop, &ti, "Table feature property");
@@ -3606,6 +3615,10 @@ dissect_openflow_table_feature_prop_v5(tvbuff_t *tvb, packet_info *pinfo _U_, pr
     proto_tree_add_item(prop_tree, hf_openflow_v5_table_feature_prop_length, tvb, offset, 2, ENC_BIG_ENDIAN);
     offset+=2;
 
+    if (prop_length < 4) {
+        prop_length = 4;
+    }
+
     body_end = offset + prop_length - 4;
 
     /* body */
@@ -3704,7 +3717,7 @@ dissect_openflow_table_features_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_
     proto_item *ti;
     proto_tree *feat_tree, *caps_tree;
     guint16 feat_length;
-    guint16 feat_end;
+    gint32 feat_end;
 
     feat_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v5_table_features, &ti, "Table features");
 
@@ -4118,7 +4131,7 @@ dissect_openflow_flow_stats_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree
     proto_item *ti;
     proto_tree *stats_tree, *flags_tree;
     guint16 stats_len;
-    guint16 stats_end;
+    gint32 stats_end;
 
     stats_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v5_flow_stats, &ti, "Flow stats");
 
@@ -4342,7 +4355,7 @@ dissect_openflow_table_desc_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree
     proto_item *ti;
     proto_tree *desc_tree, *conf_tree;
     guint16 desc_length;
-    guint16 desc_end;
+    gint32 desc_end;
 
     desc_length = tvb_get_ntohs(tvb, offset);
     desc_end = offset + desc_length;
@@ -4442,7 +4455,7 @@ dissect_openflow_queue_stats_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tre
 {
     proto_tree *stats_tree;
     guint16 stats_len;
-    guint16 stats_end;
+    gint32 stats_end;
 
     stats_len = tvb_get_ntohs(tvb, offset);
     stats_end = offset + stats_len;
@@ -4528,7 +4541,7 @@ dissect_openflow_group_stats_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tre
     proto_item *ti;
     proto_tree *stats_tree;
     guint16 stats_len;
-    guint16 stats_end;
+    gint32 stats_end;
 
     stats_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v5_group_stats, &ti, "Group stats");
 
@@ -4590,7 +4603,7 @@ dissect_openflow_group_desc_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree
     proto_tree *desc_tree;
 
     guint16 desc_len;
-    guint16 desc_end;
+    gint32 desc_end;
 
     desc_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v5_group_desc, &ti, "Group description");
 
@@ -4836,7 +4849,7 @@ dissect_openflow_meter_config_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tr
     proto_item *ti;
     proto_tree *conf_tree, *flags_tree;
     guint16 config_len;
-    guint16 config_end;
+    gint32 config_end;
 
     conf_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_openflow_v5_meter_config, &ti, "Meter config");
 
@@ -5037,7 +5050,7 @@ dissect_openflow_queue_desc_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree
 {
     proto_tree *desc_tree;
     guint16 desc_len;
-    guint16 desc_end;
+    gint32 desc_end;
 
     desc_len = tvb_get_ntohs(tvb, offset + 8);
     desc_end = offset + desc_len;
@@ -5100,7 +5113,7 @@ dissect_openflow_flow_update_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tre
     proto_tree *update_tree;
     guint16 update_len;
     guint16 update_event;
-    guint16 update_end;
+    gint32 update_end;
 
     update_len = tvb_get_ntohs(tvb, offset);
     update_end = offset + update_len;
@@ -5811,7 +5824,7 @@ dissect_openflow_message_v5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
 {
     guint8 type;
     guint16 length;
-    guint16 msg_end;
+    gint32 msg_end;
 
     type = tvb_get_guint8(tvb, offset + 1);
     length = tvb_get_ntohs(tvb, offset + 2);
author	Evan Huus <eapache@gmail.com>	2014-07-06 08:53:48 -0400
committer	Alexis La Goutte <alexis.lagoutte@gmail.com>	2014-07-06 16:53:39 +0000
commit	be4d42c6ab54169c8c027d3b1871a282fd9d0a9d (patch)
tree	8d1e47e7ccecd1fdd7db3eea54bf390e99f3f8da
parent	5886e45179844c412c67a226010a12039ebbcc0a (diff)
download	wireshark-be4d42c6ab54169c8c027d3b1871a282fd9d0a9d.tar.gz