diff options
| author | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2013-07-16 17:59:26 +0000 |
|---|---|---|
| committer | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2013-07-16 17:59:26 +0000 |
| commit | 9bee5819f808bc855e1a1da08aac145dd5905fcb (patch) | |
| tree | f240c5a35ee25c5946c14ca036824752be77454f /epan/dissectors/packet-gsm_a_common.c | |
| parent | bd0dbc23caebf0996ac919cc541f6d53f8e9e1f6 (diff) | |
| download | wireshark-9bee5819f808bc855e1a1da08aac145dd5905fcb.tar.gz | |
Fix the fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8940 :
Test whether idx is in range or not (by seeing if it was found in the
value_string) before using it as an index into any of the elem_var arrays.
This fuzz failure was in elem_telv() but apply the fix to all the elem_*()
functions.
svn path=/trunk/; revision=50672
Diffstat (limited to 'epan/dissectors/packet-gsm_a_common.c')
| -rw-r--r-- | epan/dissectors/packet-gsm_a_common.c | 91 |
1 files changed, 70 insertions, 21 deletions
diff --git a/epan/dissectors/packet-gsm_a_common.c b/epan/dissectors/packet-gsm_a_common.c index bd0fffeea2..037b493b0f 100644 --- a/epan/dissectors/packet-gsm_a_common.c +++ b/epan/dissectors/packet-gsm_a_common.c @@ -1231,6 +1231,7 @@ guint16 elem_tlv(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint8 iei proto_item *item; value_string_ext elem_names_ext; gint *elem_ett; + const gchar *elem_name; guint16 (**elem_funcs)(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, guint len, gchar *add_string, int string_len); curr_offset = offset; @@ -1243,13 +1244,18 @@ guint16 elem_tlv(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint8 iei if (oct == iei) { parm_len = tvb_get_guint8(tvb, curr_offset + 1); + elem_name = try_val_to_str_ext(idx, &elem_names_ext); + item = proto_tree_add_text(tree, tvb, curr_offset, parm_len + 1 + lengt_length, - "%s%s", - val_to_str_ext(idx, &elem_names_ext, "Unknown (%u)"), + "%s%s", elem_name ? elem_name : "Unknown - aborting dissection", (name_add == NULL) || (name_add[0] == '\0') ? "" : name_add); + /* idx is out of range */ + if (elem_name == NULL) + return(consumed); + subtree = proto_item_add_subtree(item, elem_ett[idx]); proto_tree_add_uint(subtree, @@ -1311,6 +1317,7 @@ guint16 elem_telv(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint8 ie proto_item *item; value_string_ext elem_names_ext; gint *elem_ett; + const gchar *elem_name; guint16 (**elem_funcs)(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, guint len, gchar *add_string, int string_len); curr_offset = offset; @@ -1330,13 +1337,18 @@ guint16 elem_telv(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint8 ie parm_len = parm_len & 0x7f; } + elem_name = try_val_to_str_ext(idx, &elem_names_ext); + item = proto_tree_add_text(tree, tvb, curr_offset, parm_len + 1 + lengt_length, - "%s%s", - val_to_str_ext(idx, &elem_names_ext, "Unknown (%u)"), + "%s%s", elem_name ? elem_name : "Unknown - aborting dissection", (name_add == NULL) || (name_add[0] == '\0') ? "" : name_add); + /* idx is out of range */ + if (elem_name == NULL) + return(consumed); + subtree = proto_item_add_subtree(item, elem_ett[idx]); proto_tree_add_uint(subtree, @@ -1397,6 +1409,7 @@ guint16 elem_tlv_e(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint8 i proto_item *item; value_string_ext elem_names_ext; gint *elem_ett; + const gchar *elem_name; guint16 (**elem_funcs)(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, guint len, gchar *add_string, int string_len); curr_offset = offset; @@ -1409,11 +1422,16 @@ guint16 elem_tlv_e(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint8 i if (oct == iei) { parm_len = tvb_get_ntohs(tvb, curr_offset + 1); + elem_name = try_val_to_str_ext(idx, &elem_names_ext); + item = proto_tree_add_text(tree, tvb, curr_offset, parm_len + 1 + 2, - "%s%s", - val_to_str_ext(idx, &elem_names_ext, "Unknown (%u)"), + "%s%s", elem_name ? elem_name : "Unknown - aborting dissection", (name_add == NULL) || (name_add[0] == '\0') ? "" : name_add); + /* idx is out of range */ + if (elem_name == NULL) + return(consumed); + subtree = proto_item_add_subtree(item, elem_ett[idx]); proto_tree_add_uint(subtree, @@ -1471,6 +1489,7 @@ guint16 elem_tv(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint8 iei, proto_item *item; value_string_ext elem_names_ext; gint *elem_ett; + const gchar *elem_name; guint16 (**elem_funcs)(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, guint len, gchar *add_string, int string_len); curr_offset = offset; @@ -1482,13 +1501,17 @@ guint16 elem_tv(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint8 iei, if (oct == iei) { + elem_name = try_val_to_str_ext(idx, &elem_names_ext); + item = - proto_tree_add_text(tree, - tvb, curr_offset, -1, - "%s%s", - val_to_str_ext(idx, &elem_names_ext, "Unknown (%u)"), + proto_tree_add_text(tree, tvb, curr_offset, -1, + "%s%s", elem_name ? elem_name : "Unknown - aborting dissection", (name_add == NULL) || (name_add[0] == '\0') ? "" : name_add); + /* idx is out of range */ + if (elem_name == NULL) + return(consumed); + subtree = proto_item_add_subtree(item, elem_ett[idx]); proto_tree_add_uint(subtree, @@ -1543,6 +1566,7 @@ guint16 elem_tv_short(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint proto_item *item; value_string_ext elem_names_ext; gint *elem_ett; + const gchar *elem_name; guint16 (**elem_funcs)(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, guint len, gchar *add_string, int string_len); char buf[10+1]; @@ -1555,13 +1579,18 @@ guint16 elem_tv_short(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint if ((oct & 0xf0) == (iei & 0xf0)) { + elem_name = try_val_to_str_ext(idx, &elem_names_ext); + item = proto_tree_add_text(tree, tvb, curr_offset, -1, - "%s%s", - val_to_str_ext(idx, &elem_names_ext, "Unknown (%u)"), + "%s%s", elem_name ? elem_name : "Unknown - aborting dissection", (name_add == NULL) || (name_add[0] == '\0') ? "" : name_add); + /* idx is out of range */ + if (elem_name == NULL) + return(consumed); + subtree = proto_item_add_subtree(item, elem_ett[idx]); other_decode_bitfield_value(buf, oct, 0xf0, 8); @@ -1650,6 +1679,7 @@ elem_lv(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, gint pdu_type, int proto_item *item; value_string_ext elem_names_ext; gint *elem_ett; + const gchar *elem_name; guint16 (**elem_funcs)(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, guint len, gchar *add_string, int string_len); curr_offset = offset; @@ -1659,13 +1689,18 @@ elem_lv(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, gint pdu_type, int parm_len = tvb_get_guint8(tvb, curr_offset); + elem_name = try_val_to_str_ext(idx, &elem_names_ext); + item = proto_tree_add_text(tree, tvb, curr_offset, parm_len + 1, - "%s%s", - val_to_str_ext(idx, &elem_names_ext, "Unknown (%u)"), + "%s%s", elem_name ? elem_name : "Unknown - aborting dissection", (name_add == NULL) || (name_add[0] == '\0') ? "" : name_add); + /* idx is out of range */ + if (elem_name == NULL) + return(consumed); + subtree = proto_item_add_subtree(item, elem_ett[idx]); proto_tree_add_uint(subtree, hf_gsm_a_length, tvb, @@ -1713,6 +1748,7 @@ guint16 elem_lv_e(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, gint pdu_ proto_item *item; value_string_ext elem_names_ext; gint *elem_ett; + const gchar *elem_name; guint16 (**elem_funcs)(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, guint len, gchar *add_string, int string_len); curr_offset = offset; @@ -1722,11 +1758,16 @@ guint16 elem_lv_e(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, gint pdu_ parm_len = tvb_get_ntohs(tvb, curr_offset); + elem_name = try_val_to_str_ext(idx, &elem_names_ext); + item = proto_tree_add_text(tree, tvb, curr_offset, parm_len + 2, - "%s%s", - val_to_str_ext(idx, &elem_names_ext, "Unknown (%u)"), + "%s%s", elem_name ? elem_name : "Unknown - aborting dissection", (name_add == NULL) || (name_add[0] == '\0') ? "" : name_add); + /* idx is out of range */ + if (elem_name == NULL) + return(consumed); + subtree = proto_item_add_subtree(item, elem_ett[idx]); proto_tree_add_uint(subtree, hf_gsm_a_length, tvb, @@ -1775,6 +1816,7 @@ guint16 elem_v(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, gint pdu_typ proto_item *item; value_string_ext elem_names_ext; gint *elem_ett; + const gchar *elem_name; guint16 (**elem_funcs)(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, guint len, gchar *add_string, int string_len); curr_offset = offset; @@ -1782,7 +1824,9 @@ guint16 elem_v(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, gint pdu_typ SET_ELEM_VARS(pdu_type, elem_names_ext, elem_ett, elem_funcs); - if (elem_funcs[idx] == NULL) + elem_name = try_val_to_str_ext(idx, &elem_names_ext); + + if (elem_name == NULL || elem_funcs[idx] == NULL) { /* BAD THING, CANNOT DETERMINE LENGTH */ @@ -1799,8 +1843,7 @@ guint16 elem_v(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, gint pdu_typ item = proto_tree_add_text(tree, tvb, curr_offset, 0, - "%s%s", - val_to_str_ext(idx, &elem_names_ext, "Unknown (%u)"), + "%s%s", elem_name, (name_add == NULL) || (name_add[0] == '\0') ? "" : name_add); subtree = proto_item_add_subtree(item, elem_ett[idx]); @@ -1835,17 +1878,23 @@ guint16 elem_v_short(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, gint p gint *elem_ett; elem_fcn *elem_funcs; gchar *a_add_string; + const gchar *elem_name; curr_offset = offset; SET_ELEM_VARS(pdu_type, elem_names_ext, elem_ett, elem_funcs); + elem_name = try_val_to_str_ext(idx, &elem_names_ext); + item = proto_tree_add_text(tree, tvb, curr_offset, 0, - "%s%s", - val_to_str_ext(idx, &elem_names_ext, "Unknown (%u)"), + "%s%s", elem_name ? elem_name : "Unknown - aborting dissection", ""); + /* idx is out of range */ + if (elem_name == NULL) + return(consumed); + subtree = proto_item_add_subtree(item, elem_ett[idx]); a_add_string= (gchar*)ep_alloc(1024); |