diff options
author | Pascal Quantin <pascal.quantin@gmail.com> | 2016-07-25 17:08:26 +0200 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2016-07-26 03:53:29 +0000 |
commit | 2193bea3212d74e2a907152055e27d409b59485e (patch) | |
tree | 74b12a6513498dcadf50878dbaf056b6b99939cd /epan/dissectors/packet-wsp.c | |
parent | 56706427f53cc64793870bf072c2c06248ae88f3 (diff) | |
download | wireshark-2193bea3212d74e2a907152055e27d409b59485e.tar.gz |
WAP: check that tvb_get_guintvar does not overflow
Bug: 12661
Change-Id: I2ef857d6be6595fd89f3dbb8d41c1c70d550ad93
Reviewed-on: https://code.wireshark.org/review/16665
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/dissectors/packet-wsp.c')
-rw-r--r-- | epan/dissectors/packet-wsp.c | 56 |
1 files changed, 29 insertions, 27 deletions
diff --git a/epan/dissectors/packet-wsp.c b/epan/dissectors/packet-wsp.c index 2b2b18922a..fec6900c6d 100644 --- a/epan/dissectors/packet-wsp.c +++ b/epan/dissectors/packet-wsp.c @@ -380,6 +380,7 @@ static expert_field ei_wsp_undecoded_parameter = EI_INIT; static expert_field ei_hdr_x_wap_tod = EI_INIT; static expert_field ei_wsp_trailing_quote = EI_INIT; static expert_field ei_wsp_header_invalid = EI_INIT; +static expert_field ei_wsp_oversized_uintvar = EI_INIT; /* Handle for WSP-over-UDP dissector */ @@ -1291,7 +1292,7 @@ static void add_headers (proto_tree *tree, tvbuff_t *tvb, int hf, packet_info *p #define is_uri_value(x) is_text_string(x) #define get_uintvar_integer(val,tvb,start,len,ok) \ - val = tvb_get_guintvar(tvb,start,&len); \ + val = tvb_get_guintvar(tvb,start,&len, pinfo, &ei_wsp_oversized_uintvar); \ if (len>5) ok = FALSE; else ok = TRUE; #define get_short_integer(val,tvb,start,len,ok) \ val = tvb_get_guint8(tvb,start); \ @@ -1438,7 +1439,7 @@ parameter_value_q (proto_tree *tree, packet_info *pinfo, proto_item *ti, tvbuff_ /* END */ \ } else { /* val_start points to 1st byte of length field */ \ if (val_id == 0x1F) { /* Value Length = guintvar */ \ - val_len = tvb_get_guintvar(tvb, val_start + 1, &val_len_len); \ + val_len = tvb_get_guintvar(tvb, val_start + 1, &val_len_len, pinfo, &ei_wsp_oversized_uintvar); \ val_len_len++; /* 0x1F length indicator byte */ \ } else { /* Short length followed by Len data octets */ \ val_len = tvb_get_guint8(tvb, offset); \ @@ -4529,7 +4530,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) tvb, 0, 1, version); /* Length of Application-Id headers list */ - val_len = tvb_get_guintvar(tvb, 1, &len); + val_len = tvb_get_guintvar(tvb, 1, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_app_id_list_len, tvb, 1, len, val_len); offset = 1 + len; @@ -4539,7 +4540,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) offset += val_len; /* Length of WSP contact points list */ - val_len = tvb_get_guintvar(tvb, offset, &len); + val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_wsp_contact_points_len, tvb, offset, len, val_len); offset += len; @@ -4554,7 +4555,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) offset += val_len; /* Length of non-WSP contact points list */ - val_len = tvb_get_guintvar(tvb, offset, &len); + val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_contact_points_len, tvb, offset, len, val_len); offset += len; @@ -4565,7 +4566,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) offset += val_len; /* Number of entries in the Protocol Options list */ - val_len = tvb_get_guintvar(tvb, offset, &len); + val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_protocol_options_len, tvb, offset, len, val_len); offset += len; @@ -4574,14 +4575,14 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) val_len_save = val_len; for (i = 0; i < val_len_save; i++) { - val_len = tvb_get_guintvar(tvb, offset, &len); + val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_protocol_options, tvb, offset, len, val_len); offset += len; } /* Length of ProvURL */ - val_len = tvb_get_guintvar(tvb, offset, &len); + val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_prov_url_len, tvb, offset, len, val_len); offset += len; @@ -4591,7 +4592,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) offset += val_len; /* Number of entries in the CPITag list */ - val_len = tvb_get_guintvar(tvb, offset, &len); + val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(subtree, hf_sir_cpi_tag_len, tvb, offset, len, val_len); offset += len; @@ -4706,7 +4707,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, offset++; } else { count = 0; /* Initialise count */ - value = tvb_get_guintvar (tvb, offset, &count); + value = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint (wsp_tree, hf_wsp_server_session_id, tvb, offset, count, value); @@ -4714,7 +4715,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, offset += count; } count = 0; /* Initialise count */ - capabilityLength = tvb_get_guintvar (tvb, offset, &count); + capabilityLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint (wsp_tree, hf_capabilities_length, tvb, offset, count, capabilityLength); offset += count; @@ -4722,7 +4723,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, if (pdut != WSP_PDU_RESUME) { count = 0; /* Initialise count */ - headerLength = tvb_get_guintvar (tvb, offset, &count); + headerLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint (wsp_tree, hf_wsp_header_length, tvb, offset, count, headerLength); offset += count; @@ -4759,7 +4760,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, case WSP_PDU_SUSPEND: if (tree) { count = 0; /* Initialise count */ - value = tvb_get_guintvar (tvb, offset, &count); + value = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint (wsp_tree, hf_wsp_server_session_id, tvb, offset, count, value); @@ -4774,7 +4775,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, case WSP_PDU_TRACE: count = 0; /* Initialise count */ /* Length of URI and size of URILen field */ - value = tvb_get_guintvar (tvb, offset, &count); + value = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); nextOffset = offset + count; add_uri (wsp_tree, pinfo, tvb, offset, nextOffset, proto_ti); if (tree) { @@ -4788,10 +4789,10 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, case WSP_PDU_PUT: uriStart = offset; count = 0; /* Initialise count */ - uriLength = tvb_get_guintvar (tvb, offset, &count); + uriLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); headerStart = uriStart+count; count = 0; /* Initialise count */ - headersLength = tvb_get_guintvar (tvb, headerStart, &count); + headersLength = tvb_get_guintvar (tvb, headerStart, &count, pinfo, &ei_wsp_oversized_uintvar); offset = headerStart + count; add_uri (wsp_tree, pinfo, tvb, uriStart, offset, proto_ti); @@ -4869,7 +4870,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, case WSP_PDU_REPLY: count = 0; /* Initialise count */ - headersLength = tvb_get_guintvar (tvb, offset+1, &count); + headersLength = tvb_get_guintvar (tvb, offset+1, &count, pinfo, &ei_wsp_oversized_uintvar); headerStart = offset + count + 1; { guint8 reply_status = tvb_get_guint8(tvb, offset); @@ -4960,7 +4961,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, case WSP_PDU_PUSH: case WSP_PDU_CONFIRMEDPUSH: count = 0; /* Initialise count */ - headersLength = tvb_get_guintvar (tvb, offset, &count); + headersLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); headerStart = offset + count; proto_tree_add_uint (wsp_tree, hf_wsp_header_length, @@ -5095,7 +5096,7 @@ add_uri (proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, guint URILenOffset, guint URIOffset, proto_item *proto_ti) { guint count = 0; - guint uriLen = tvb_get_guintvar (tvb, URILenOffset, &count); + guint uriLen = tvb_get_guintvar (tvb, URILenOffset, &count, pinfo, &ei_wsp_oversized_uintvar); gchar *str; proto_tree_add_uint (tree, hf_wsp_header_uri_len, @@ -5183,7 +5184,7 @@ add_capabilities (proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, guint8 pd * Now Offset points to the 1st byte of a capability field. * Get the length of the capability field */ - capaValueLen = tvb_get_guintvar(tvb, offset, &len); + capaValueLen = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); capaLen = capaValueLen + len; cap_subtree = proto_tree_add_subtree(wsp_capabilities, tvb, offset, capaLen, ett_capabilities_entry, &cap_item, "Capability"); @@ -5244,12 +5245,12 @@ add_capabilities (proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, guint8 pd /* Now the capability type is known */ switch (peek) { case WSP_CAPA_CLIENT_SDU_SIZE: - value = tvb_get_guintvar(tvb, offset, &len); + value = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(cap_subtree, hf_capa_client_sdu_size, tvb, offset, len, value); break; case WSP_CAPA_SERVER_SDU_SIZE: - value = tvb_get_guintvar(tvb, offset, &len); + value = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(cap_subtree, hf_capa_server_sdu_size, tvb, offset, len, value); break; @@ -5352,12 +5353,12 @@ add_capabilities (proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, guint8 pd tvb, capaStart, capaLen, ENC_NA); break; case WSP_CAPA_CLIENT_MESSAGE_SIZE: - value = tvb_get_guintvar(tvb, offset, &len); + value = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(cap_subtree, hf_capa_client_message_size, tvb, offset, len, value); break; case WSP_CAPA_SERVER_MESSAGE_SIZE: - value = tvb_get_guintvar(tvb, offset, &len); + value = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar); proto_tree_add_uint(cap_subtree, hf_capa_server_message_size, tvb, offset, len, value); break; @@ -5489,7 +5490,7 @@ add_multipart_data (proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo) heur_dtbl_entry_t *hdtbl_entry; - nEntries = tvb_get_guintvar (tvb, offset, &count); + nEntries = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); offset += count; if (nEntries) { @@ -5499,9 +5500,9 @@ add_multipart_data (proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo) while (nEntries--) { part_start = offset; - HeadersLen = tvb_get_guintvar (tvb, offset, &count); + HeadersLen = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); offset += count; - DataLen = tvb_get_guintvar (tvb, offset, &count); + DataLen = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar); offset += count; ti = proto_tree_add_uint(sub_tree, hf_wsp_mpart, tvb, part_start, @@ -7157,6 +7158,7 @@ proto_register_wsp(void) { &ei_wsp_undecoded_parameter, { "wsp.undecoded_parameter", PI_UNDECODED, PI_WARN, "Invalid parameter value", EXPFILL }}, { &ei_wsp_trailing_quote, { "wsp.trailing_quote", PI_PROTOCOL, PI_WARN, "Quoted-string value has been encoded with a trailing quote", EXPFILL }}, { &ei_wsp_header_invalid, { "wsp.header_invalid", PI_MALFORMED, PI_ERROR, "Malformed header", EXPFILL }}, + { &ei_wsp_oversized_uintvar, { "wsp.oversized_uintvar", PI_MALFORMED, PI_ERROR, "Uintvar is oversized", EXPFILL }} }; expert_module_t* expert_wsp; |