diff options
author | Peter Wu <peter@lekensteyn.nl> | 2017-06-30 21:15:21 +0200 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2017-07-01 06:37:22 +0000 |
commit | e47b68b578db306f2c8a5681359edebab2e2c9d3 (patch) | |
tree | 318ec707cb1a0ae9ee9e78dbae6259f576fa3b6c | |
parent | f9fd438b6d8d5fb535881e94f736025b46a3fcc4 (diff) | |
download | wireshark-e47b68b578db306f2c8a5681359edebab2e2c9d3.tar.gz |
ospf: workaround Opaque Information with bad TLV
The linked pcap seems to contain a TLV (type=255 (Unknown)) followed by
four bytes (00 00 00 14, interpreted as TLV (type=0, length=20)). That
is bogus, so stop dissecting if no more data is available.
While at it, implement alignment at four octets.
Bug: 13823
Change-Id: Iacf863c0c6605db40e87f63a950d61c1db6debaa
Reviewed-on: https://code.wireshark.org/review/22488
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
-rw-r--r-- | epan/dissectors/packet-ospf.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/epan/dissectors/packet-ospf.c b/epan/dissectors/packet-ospf.c index 5c265a245d..1199e7b797 100644 --- a/epan/dissectors/packet-ospf.c +++ b/epan/dissectors/packet-ospf.c @@ -2391,14 +2391,15 @@ dissect_ospf_lsa_opaque_ri(tvbuff_t *tvb, int offset, proto_tree *tree, { proto_tree *ri_tree; proto_tree *tlv_tree; + int offset_end = offset + length; int tlv_type; - int tlv_length; + guint tlv_length; ri_tree = proto_tree_add_subtree(tree, tvb, offset, length, ett_ospf_lsa_opaque_ri, NULL, "Opaque Router Information LSA"); - while (length > 0) { + while (offset < offset_end) { tlv_type = tvb_get_ntohs(tvb, offset); tlv_length = tvb_get_ntohs(tvb, offset + 2); @@ -2427,7 +2428,7 @@ dissect_ospf_lsa_opaque_ri(tvbuff_t *tvb, int offset, proto_tree *tree, break; case OPAQUE_TLV_SA:{ - int sa_number; + guint sa_number; tlv_tree = proto_tree_add_subtree_format(ri_tree, tvb, offset, tlv_length+4, ett_ospf_lsa_sa_tlv, NULL, "%s", val_to_str_const(tlv_type, ri_tlv_type_vals, "Unknown Opaque RI LSA TLV")); @@ -2441,6 +2442,10 @@ dissect_ospf_lsa_opaque_ri(tvbuff_t *tvb, int offset, proto_tree *tree, break; } default: + if (tlv_length > (guint)(offset_end - offset)) { + /* Invalid length, probably not TLV. */ + return; + } tlv_tree = proto_tree_add_subtree_format(ri_tree, tvb, offset, tlv_length+4, ett_ospf_lsa_unknown_tlv, NULL, "%s", val_to_str_const(tlv_type, ri_tlv_type_vals, "Unknown Opaque RI LSA TLV")); @@ -2453,8 +2458,11 @@ dissect_ospf_lsa_opaque_ri(tvbuff_t *tvb, int offset, proto_tree *tree, } - offset += tlv_length + 4; - length -= tlv_length + 4; + /* + * RFC 7770, section 2.3: 4-octet aligned, but type, length and padding + * is not included in the length. + * */ + offset += 4 + ((tlv_length + 3) & ~3); } } |