Fix an infinite loop in the GSM CBCH dissector.

The looping logic is a bit odd, and there was a case where we were never incrementing any of the multiple loop variables. I suspect the entire function could be simplified, but this commit fixes the hang and is better suited to backporting than anything complex. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8730 svn path=/trunk/; revision=49686
author: Evan Huus <eapache@gmail.com> 2013-06-01 23:56:32 +0000
committer: Evan Huus <eapache@gmail.com> 2013-06-01 23:56:32 +0000
commit: 3c2647947f8dc16dfba9ed91667036cab761e671 (patch)
tree: ec7a0d91c847d45f47d53712b190b86aa28728b7 /epan/dissectors/packet-gsm_cbch.c
parent: d7638de9b774d7029667c0451d486709122a910a (diff)
download: wireshark-3c2647947f8dc16dfba9ed91667036cab761e671.tar.gz
1 files changed, 13 insertions, 3 deletions
diff --git a/epan/dissectors/packet-gsm_cbch.c b/epan/dissectors/packet-gsm_cbch.c
index 69791d900a..340fcbfb52 100644
--- a/epan/dissectors/packet-gsm_cbch.c
+++ b/epan/dissectors/packet-gsm_cbch.c
@@ -125,9 +125,9 @@ cbch_defragment_init(void)
 static void
 dissect_schedule_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree)
 {
+    guint       len, offset     = 0;
     guint8      octet1, i, j, k = 0;
-    guint8      len, sched_begin, sched_end, new_slots[48];
-    guint8      offset          = 0;
+    guint8      sched_begin, sched_end, new_slots[48];
     gboolean    valid_message   = TRUE;
     guint16     other_slots[48];
     proto_item *item            = NULL, *schedule_item = NULL;
@@ -252,7 +252,7 @@ dissect_schedule_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree
             /* print schedule of other messages */
             item = proto_tree_add_text(sched_tree, tvb, offset, 0, "Other message slots in this schedule");
             sched_subtree = proto_item_add_subtree(item, ett_schedule_new_msg);
-            for (k=0; offset<len; j++)
+            for (k=0; offset < len; j++)
             {
                 while ((other_slots[k]!=0xFFFF) && (k<sched_end))
                 {
@@ -278,6 +278,16 @@ dissect_schedule_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree
                                             ++k, msg_id);
                         offset +=2;
                     }
+                    else
+                    {
+                        /* I'm not sure what's supposed to be dissected in this
+                         * case. Perhaps just an expert info is appropriate?
+                         * Regardless, we need to increment k to prevent an
+                         * infinite loop, see
+                         * https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8730
+                         */
+                        ++k;
+                    }
                 }
                 else if ((octet1 & 0xC0) == 0)
                 {
author	Evan Huus <eapache@gmail.com>	2013-06-01 23:56:32 +0000
committer	Evan Huus <eapache@gmail.com>	2013-06-01 23:56:32 +0000
commit	3c2647947f8dc16dfba9ed91667036cab761e671 (patch)
tree	ec7a0d91c847d45f47d53712b190b86aa28728b7 /epan/dissectors/packet-gsm_cbch.c
parent	d7638de9b774d7029667c0451d486709122a910a (diff)
download	wireshark-3c2647947f8dc16dfba9ed91667036cab761e671.tar.gz