MBIM: fix dissection of GSM SMS messages

Change-Id: I07e753e50a42513daa704e56ee5c9b399a91fec9 Reviewed-on: https://code.wireshark.org/review/1305 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
author: Pascal Quantin <pascal.quantin@gmail.com> 2014-04-23 19:32:07 +0200
committer: Pascal Quantin <pascal.quantin@gmail.com> 2014-04-23 17:45:25 +0000
commit: cd4d4acdbc8b283600991460f960988e17ed95e1 (patch)
tree: d0ac23f3325f5cdc46cc5fa756fcf3152cae6a6b /epan/dissectors/packet-mbim.c
parent: 3b6789ecbefd47cd7c5200edab64ecc94dd581c0 (diff)
download: wireshark-cd4d4acdbc8b283600991460f960988e17ed95e1.tar.gz
1 files changed, 17 insertions, 12 deletions
diff --git a/epan/dissectors/packet-mbim.c b/epan/dissectors/packet-mbim.c
index 08e39251e3..714297e619 100644
--- a/epan/dissectors/packet-mbim.c
+++ b/epan/dissectors/packet-mbim.c
@@ -2878,10 +2878,10 @@ mbim_dissect_sms_pdu_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
     /*offset += 4;*/
     if (pdu_data_offset && pdu_data_size) {
         if ((mbim_conv->cellular_class & MBIM_CELLULAR_CLASS_GSM) && gsm_sms_handle) {
-            sc_address_size = tvb_get_guint8(tvb, base_offset + pdu_data_offset);
             ti = proto_tree_add_item(tree, hf_mbim_sms_pdu_record_pdu_data, tvb, base_offset + pdu_data_offset,
-                                     pdu_data_size + 1 + sc_address_size, ENC_NA);
+                                     pdu_data_size, ENC_NA);
             subtree = proto_item_add_subtree(ti, ett_mbim_buffer);
+            sc_address_size = tvb_get_guint8(tvb, base_offset + pdu_data_offset);
             ti = proto_tree_add_text(subtree, tvb, base_offset + pdu_data_offset, 1 + sc_address_size,
                                      "Service Center Address");
             sc_tree = proto_item_add_subtree(ti, ett_mbim_sc_address);
@@ -2891,10 +2891,13 @@ mbim_dissect_sms_pdu_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
                 de_cld_party_bcd_num(tvb, sc_tree, pinfo, base_offset + pdu_data_offset + 1,
                                      sc_address_size, NULL, 0);
             }
-            sms_tvb = tvb_new_subset(tvb, base_offset + pdu_data_offset + 1 + sc_address_size,
-                                     pdu_data_size, pdu_data_size);
-            pinfo->p2p_dir = (message_status < 2) ? P2P_DIR_SENT : P2P_DIR_RECV;
-            call_dissector(gsm_sms_handle, sms_tvb, pinfo, subtree);
+            if (pdu_data_size > (guint32)(sc_address_size + 1)) {
+                pdu_data_size -= sc_address_size + 1;
+                sms_tvb = tvb_new_subset(tvb, base_offset + pdu_data_offset + 1 + sc_address_size,
+                                         pdu_data_size, pdu_data_size);
+                pinfo->p2p_dir = (message_status < 2) ? P2P_DIR_SENT : P2P_DIR_RECV;
+                call_dissector(gsm_sms_handle, sms_tvb, pinfo, subtree);
+            }
         } else {
             ti = proto_tree_add_item(tree, hf_mbim_sms_pdu_record_pdu_data, tvb, base_offset + pdu_data_offset,
                                      pdu_data_size, ENC_NA);
@@ -3075,10 +3078,10 @@ mbim_dissect_sms_send_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, g
     /*offset += 4;*/
     if (pdu_data_offset && pdu_data_size) {
         if ((mbim_conv->cellular_class & MBIM_CELLULAR_CLASS_GSM) && gsm_sms_handle) {
-            sc_address_size = tvb_get_guint8(tvb, base_offset + pdu_data_offset);
             ti = proto_tree_add_item(tree, hf_mbim_sms_send_pdu_pdu_data, tvb, base_offset + pdu_data_offset,
-                                     pdu_data_size + 1 + sc_address_size, ENC_NA);
+                                     pdu_data_size, ENC_NA);
             subtree = proto_item_add_subtree(ti, ett_mbim_buffer);
+            sc_address_size = tvb_get_guint8(tvb, base_offset + pdu_data_offset);
             ti = proto_tree_add_text(subtree, tvb, base_offset + pdu_data_offset, 1 + sc_address_size,
                                      "Service Center Address");
             sc_tree = proto_item_add_subtree(ti, ett_mbim_sc_address);
@@ -3088,10 +3091,12 @@ mbim_dissect_sms_send_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, g
                 de_cld_party_bcd_num(tvb, sc_tree, pinfo, base_offset + pdu_data_offset + 1,
                                      sc_address_size, NULL, 0);
             }
-            sms_tvb = tvb_new_subset(tvb, base_offset + pdu_data_offset + 1 + sc_address_size,
-                                     pdu_data_size, pdu_data_size);
-            pinfo->p2p_dir = P2P_DIR_RECV;
-            call_dissector(gsm_sms_handle, sms_tvb, pinfo, subtree);
+            if (pdu_data_size > (guint32)(sc_address_size + 1)) {
+                sms_tvb = tvb_new_subset(tvb, base_offset + pdu_data_offset + 1 + sc_address_size,
+                                         pdu_data_size, pdu_data_size);
+                pinfo->p2p_dir = P2P_DIR_RECV;
+                call_dissector(gsm_sms_handle, sms_tvb, pinfo, subtree);
+            }
         } else {
             ti = proto_tree_add_item(tree, hf_mbim_sms_send_pdu_pdu_data, tvb, base_offset + pdu_data_offset,
                                      pdu_data_size, ENC_NA);
author	Pascal Quantin <pascal.quantin@gmail.com>	2014-04-23 19:32:07 +0200
committer	Pascal Quantin <pascal.quantin@gmail.com>	2014-04-23 17:45:25 +0000
commit	cd4d4acdbc8b283600991460f960988e17ed95e1 (patch)
tree	d0ac23f3325f5cdc46cc5fa756fcf3152cae6a6b /epan/dissectors/packet-mbim.c
parent	3b6789ecbefd47cd7c5200edab64ecc94dd581c0 (diff)
download	wireshark-cd4d4acdbc8b283600991460f960988e17ed95e1.tar.gz