diff options
author | Evan Huus <eapache@gmail.com> | 2013-06-01 23:56:32 +0000 |
---|---|---|
committer | Evan Huus <eapache@gmail.com> | 2013-06-01 23:56:32 +0000 |
commit | 3c2647947f8dc16dfba9ed91667036cab761e671 (patch) | |
tree | ec7a0d91c847d45f47d53712b190b86aa28728b7 /epan/dissectors/packet-gsm_cbch.c | |
parent | d7638de9b774d7029667c0451d486709122a910a (diff) | |
download | wireshark-3c2647947f8dc16dfba9ed91667036cab761e671.tar.gz |
Fix an infinite loop in the GSM CBCH dissector.
The looping logic is a bit odd, and there was a case where we were never
incrementing any of the multiple loop variables. I suspect the entire function
could be simplified, but this commit fixes the hang and is better suited to
backporting than anything complex.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8730
svn path=/trunk/; revision=49686
Diffstat (limited to 'epan/dissectors/packet-gsm_cbch.c')
-rw-r--r-- | epan/dissectors/packet-gsm_cbch.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/epan/dissectors/packet-gsm_cbch.c b/epan/dissectors/packet-gsm_cbch.c index 69791d900a..340fcbfb52 100644 --- a/epan/dissectors/packet-gsm_cbch.c +++ b/epan/dissectors/packet-gsm_cbch.c @@ -125,9 +125,9 @@ cbch_defragment_init(void) static void dissect_schedule_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree) { + guint len, offset = 0; guint8 octet1, i, j, k = 0; - guint8 len, sched_begin, sched_end, new_slots[48]; - guint8 offset = 0; + guint8 sched_begin, sched_end, new_slots[48]; gboolean valid_message = TRUE; guint16 other_slots[48]; proto_item *item = NULL, *schedule_item = NULL; @@ -252,7 +252,7 @@ dissect_schedule_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree /* print schedule of other messages */ item = proto_tree_add_text(sched_tree, tvb, offset, 0, "Other message slots in this schedule"); sched_subtree = proto_item_add_subtree(item, ett_schedule_new_msg); - for (k=0; offset<len; j++) + for (k=0; offset < len; j++) { while ((other_slots[k]!=0xFFFF) && (k<sched_end)) { @@ -278,6 +278,16 @@ dissect_schedule_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree ++k, msg_id); offset +=2; } + else + { + /* I'm not sure what's supposed to be dissected in this + * case. Perhaps just an expert info is appropriate? + * Regardless, we need to increment k to prevent an + * infinite loop, see + * https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8730 + */ + ++k; + } } else if ((octet1 & 0xC0) == 0) { |