summaryrefslogtreecommitdiff
path: root/epan/dissectors/packet-wsp.c
diff options
context:
space:
mode:
authorPascal Quantin <pascal.quantin@gmail.com>2016-07-25 17:08:26 +0200
committerAnders Broman <a.broman58@gmail.com>2016-07-26 03:53:29 +0000
commit2193bea3212d74e2a907152055e27d409b59485e (patch)
tree74b12a6513498dcadf50878dbaf056b6b99939cd /epan/dissectors/packet-wsp.c
parent56706427f53cc64793870bf072c2c06248ae88f3 (diff)
downloadwireshark-2193bea3212d74e2a907152055e27d409b59485e.tar.gz
WAP: check that tvb_get_guintvar does not overflow
Bug: 12661 Change-Id: I2ef857d6be6595fd89f3dbb8d41c1c70d550ad93 Reviewed-on: https://code.wireshark.org/review/16665 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/dissectors/packet-wsp.c')
-rw-r--r--epan/dissectors/packet-wsp.c56
1 files changed, 29 insertions, 27 deletions
diff --git a/epan/dissectors/packet-wsp.c b/epan/dissectors/packet-wsp.c
index 2b2b18922a..fec6900c6d 100644
--- a/epan/dissectors/packet-wsp.c
+++ b/epan/dissectors/packet-wsp.c
@@ -380,6 +380,7 @@ static expert_field ei_wsp_undecoded_parameter = EI_INIT;
static expert_field ei_hdr_x_wap_tod = EI_INIT;
static expert_field ei_wsp_trailing_quote = EI_INIT;
static expert_field ei_wsp_header_invalid = EI_INIT;
+static expert_field ei_wsp_oversized_uintvar = EI_INIT;
/* Handle for WSP-over-UDP dissector */
@@ -1291,7 +1292,7 @@ static void add_headers (proto_tree *tree, tvbuff_t *tvb, int hf, packet_info *p
#define is_uri_value(x) is_text_string(x)
#define get_uintvar_integer(val,tvb,start,len,ok) \
- val = tvb_get_guintvar(tvb,start,&len); \
+ val = tvb_get_guintvar(tvb,start,&len, pinfo, &ei_wsp_oversized_uintvar); \
if (len>5) ok = FALSE; else ok = TRUE;
#define get_short_integer(val,tvb,start,len,ok) \
val = tvb_get_guint8(tvb,start); \
@@ -1438,7 +1439,7 @@ parameter_value_q (proto_tree *tree, packet_info *pinfo, proto_item *ti, tvbuff_
/* END */ \
} else { /* val_start points to 1st byte of length field */ \
if (val_id == 0x1F) { /* Value Length = guintvar */ \
- val_len = tvb_get_guintvar(tvb, val_start + 1, &val_len_len); \
+ val_len = tvb_get_guintvar(tvb, val_start + 1, &val_len_len, pinfo, &ei_wsp_oversized_uintvar); \
val_len_len++; /* 0x1F length indicator byte */ \
} else { /* Short length followed by Len data octets */ \
val_len = tvb_get_guint8(tvb, offset); \
@@ -4529,7 +4530,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
tvb, 0, 1, version);
/* Length of Application-Id headers list */
- val_len = tvb_get_guintvar(tvb, 1, &len);
+ val_len = tvb_get_guintvar(tvb, 1, &len, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint(subtree, hf_sir_app_id_list_len,
tvb, 1, len, val_len);
offset = 1 + len;
@@ -4539,7 +4540,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
offset += val_len;
/* Length of WSP contact points list */
- val_len = tvb_get_guintvar(tvb, offset, &len);
+ val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint(subtree, hf_sir_wsp_contact_points_len,
tvb, offset, len, val_len);
offset += len;
@@ -4554,7 +4555,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
offset += val_len;
/* Length of non-WSP contact points list */
- val_len = tvb_get_guintvar(tvb, offset, &len);
+ val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint(subtree, hf_sir_contact_points_len,
tvb, offset, len, val_len);
offset += len;
@@ -4565,7 +4566,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
offset += val_len;
/* Number of entries in the Protocol Options list */
- val_len = tvb_get_guintvar(tvb, offset, &len);
+ val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint(subtree, hf_sir_protocol_options_len,
tvb, offset, len, val_len);
offset += len;
@@ -4574,14 +4575,14 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
val_len_save = val_len;
for (i = 0; i < val_len_save; i++) {
- val_len = tvb_get_guintvar(tvb, offset, &len);
+ val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint(subtree, hf_sir_protocol_options,
tvb, offset, len, val_len);
offset += len;
}
/* Length of ProvURL */
- val_len = tvb_get_guintvar(tvb, offset, &len);
+ val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint(subtree, hf_sir_prov_url_len,
tvb, offset, len, val_len);
offset += len;
@@ -4591,7 +4592,7 @@ dissect_sir(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
offset += val_len;
/* Number of entries in the CPITag list */
- val_len = tvb_get_guintvar(tvb, offset, &len);
+ val_len = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint(subtree, hf_sir_cpi_tag_len,
tvb, offset, len, val_len);
offset += len;
@@ -4706,7 +4707,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
offset++;
} else {
count = 0; /* Initialise count */
- value = tvb_get_guintvar (tvb, offset, &count);
+ value = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint (wsp_tree,
hf_wsp_server_session_id,
tvb, offset, count, value);
@@ -4714,7 +4715,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
offset += count;
}
count = 0; /* Initialise count */
- capabilityLength = tvb_get_guintvar (tvb, offset, &count);
+ capabilityLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint (wsp_tree, hf_capabilities_length,
tvb, offset, count, capabilityLength);
offset += count;
@@ -4722,7 +4723,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
if (pdut != WSP_PDU_RESUME)
{
count = 0; /* Initialise count */
- headerLength = tvb_get_guintvar (tvb, offset, &count);
+ headerLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint (wsp_tree, hf_wsp_header_length,
tvb, offset, count, headerLength);
offset += count;
@@ -4759,7 +4760,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
case WSP_PDU_SUSPEND:
if (tree) {
count = 0; /* Initialise count */
- value = tvb_get_guintvar (tvb, offset, &count);
+ value = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint (wsp_tree,
hf_wsp_server_session_id,
tvb, offset, count, value);
@@ -4774,7 +4775,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
case WSP_PDU_TRACE:
count = 0; /* Initialise count */
/* Length of URI and size of URILen field */
- value = tvb_get_guintvar (tvb, offset, &count);
+ value = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar);
nextOffset = offset + count;
add_uri (wsp_tree, pinfo, tvb, offset, nextOffset, proto_ti);
if (tree) {
@@ -4788,10 +4789,10 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
case WSP_PDU_PUT:
uriStart = offset;
count = 0; /* Initialise count */
- uriLength = tvb_get_guintvar (tvb, offset, &count);
+ uriLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar);
headerStart = uriStart+count;
count = 0; /* Initialise count */
- headersLength = tvb_get_guintvar (tvb, headerStart, &count);
+ headersLength = tvb_get_guintvar (tvb, headerStart, &count, pinfo, &ei_wsp_oversized_uintvar);
offset = headerStart + count;
add_uri (wsp_tree, pinfo, tvb, uriStart, offset, proto_ti);
@@ -4869,7 +4870,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
case WSP_PDU_REPLY:
count = 0; /* Initialise count */
- headersLength = tvb_get_guintvar (tvb, offset+1, &count);
+ headersLength = tvb_get_guintvar (tvb, offset+1, &count, pinfo, &ei_wsp_oversized_uintvar);
headerStart = offset + count + 1;
{
guint8 reply_status = tvb_get_guint8(tvb, offset);
@@ -4960,7 +4961,7 @@ dissect_wsp_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
case WSP_PDU_PUSH:
case WSP_PDU_CONFIRMEDPUSH:
count = 0; /* Initialise count */
- headersLength = tvb_get_guintvar (tvb, offset, &count);
+ headersLength = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar);
headerStart = offset + count;
proto_tree_add_uint (wsp_tree, hf_wsp_header_length,
@@ -5095,7 +5096,7 @@ add_uri (proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
guint URILenOffset, guint URIOffset, proto_item *proto_ti)
{
guint count = 0;
- guint uriLen = tvb_get_guintvar (tvb, URILenOffset, &count);
+ guint uriLen = tvb_get_guintvar (tvb, URILenOffset, &count, pinfo, &ei_wsp_oversized_uintvar);
gchar *str;
proto_tree_add_uint (tree, hf_wsp_header_uri_len,
@@ -5183,7 +5184,7 @@ add_capabilities (proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, guint8 pd
* Now Offset points to the 1st byte of a capability field.
* Get the length of the capability field
*/
- capaValueLen = tvb_get_guintvar(tvb, offset, &len);
+ capaValueLen = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar);
capaLen = capaValueLen + len;
cap_subtree = proto_tree_add_subtree(wsp_capabilities, tvb, offset, capaLen, ett_capabilities_entry, &cap_item, "Capability");
@@ -5244,12 +5245,12 @@ add_capabilities (proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, guint8 pd
/* Now the capability type is known */
switch (peek) {
case WSP_CAPA_CLIENT_SDU_SIZE:
- value = tvb_get_guintvar(tvb, offset, &len);
+ value = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint(cap_subtree, hf_capa_client_sdu_size,
tvb, offset, len, value);
break;
case WSP_CAPA_SERVER_SDU_SIZE:
- value = tvb_get_guintvar(tvb, offset, &len);
+ value = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint(cap_subtree, hf_capa_server_sdu_size,
tvb, offset, len, value);
break;
@@ -5352,12 +5353,12 @@ add_capabilities (proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, guint8 pd
tvb, capaStart, capaLen, ENC_NA);
break;
case WSP_CAPA_CLIENT_MESSAGE_SIZE:
- value = tvb_get_guintvar(tvb, offset, &len);
+ value = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint(cap_subtree, hf_capa_client_message_size,
tvb, offset, len, value);
break;
case WSP_CAPA_SERVER_MESSAGE_SIZE:
- value = tvb_get_guintvar(tvb, offset, &len);
+ value = tvb_get_guintvar(tvb, offset, &len, pinfo, &ei_wsp_oversized_uintvar);
proto_tree_add_uint(cap_subtree, hf_capa_server_message_size,
tvb, offset, len, value);
break;
@@ -5489,7 +5490,7 @@ add_multipart_data (proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo)
heur_dtbl_entry_t *hdtbl_entry;
- nEntries = tvb_get_guintvar (tvb, offset, &count);
+ nEntries = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar);
offset += count;
if (nEntries)
{
@@ -5499,9 +5500,9 @@ add_multipart_data (proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo)
while (nEntries--)
{
part_start = offset;
- HeadersLen = tvb_get_guintvar (tvb, offset, &count);
+ HeadersLen = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar);
offset += count;
- DataLen = tvb_get_guintvar (tvb, offset, &count);
+ DataLen = tvb_get_guintvar (tvb, offset, &count, pinfo, &ei_wsp_oversized_uintvar);
offset += count;
ti = proto_tree_add_uint(sub_tree, hf_wsp_mpart, tvb, part_start,
@@ -7157,6 +7158,7 @@ proto_register_wsp(void)
{ &ei_wsp_undecoded_parameter, { "wsp.undecoded_parameter", PI_UNDECODED, PI_WARN, "Invalid parameter value", EXPFILL }},
{ &ei_wsp_trailing_quote, { "wsp.trailing_quote", PI_PROTOCOL, PI_WARN, "Quoted-string value has been encoded with a trailing quote", EXPFILL }},
{ &ei_wsp_header_invalid, { "wsp.header_invalid", PI_MALFORMED, PI_ERROR, "Malformed header", EXPFILL }},
+ { &ei_wsp_oversized_uintvar, { "wsp.oversized_uintvar", PI_MALFORMED, PI_ERROR, "Uintvar is oversized", EXPFILL }}
};
expert_module_t* expert_wsp;
generated by cgit v1.2.1 (git 2.18.0) at 2024-06-18 13:52:41 +0000