diff options
| author | Michael Mann <mmann78@netscape.net> | 2017-06-13 23:05:24 -0400 |
|---|---|---|
| committer | Michael Mann <mmann78@netscape.net> | 2017-06-14 11:38:36 +0000 |
| commit | 75e2c7ef57643639484a07da98a7fb2629bd000c (patch) | |
| tree | 382197a99405f182dccaab2977f9bf43363be443 /epan | |
| parent | 9adc7afb9307a252fa50b75687c09ba1a9f613a2 (diff) | |
| download | wireshark-75e2c7ef57643639484a07da98a7fb2629bd000c.tar.gz | |
WBXML: Fix some more potential infinite loops.
tvb_get_guintvar can generate some unrealistic values so do some
sanity checking on them.
Bug: 13796
Change-Id: I2d5f7a48c2e982a419ea6ab3ac0000be3b6bcbc7
Reviewed-on: https://code.wireshark.org/review/22121
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(cherry picked from commit 50fa2d95833ec2e2b0de3000eda7b290fc23eaeb)
Reviewed-on: https://code.wireshark.org/review/22128
Diffstat (limited to 'epan')
| -rw-r--r-- | epan/dissectors/packet-wbxml.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/epan/dissectors/packet-wbxml.c b/epan/dissectors/packet-wbxml.c index b740a44cd9..690101f90e 100644 --- a/epan/dissectors/packet-wbxml.c +++ b/epan/dissectors/packet-wbxml.c @@ -7233,7 +7233,7 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb, packet_info } } else { idx = tvb_get_guintvar (tvb, off+1, &len, pinfo, &ei_wbxml_oversized_uintvar); - if (len <= tvb_len) { + if ((len <= tvb_len) && (idx < tvb_len)) { proto_tree_add_bytes_format(tree, hf_wbxml_opaque_data, tvb, off, 1 + len + idx, NULL, " %3d | Attr | A %3d | OPAQUE (Opaque data) | %s(%u bytes of opaque data)", level, *codepage_attr, Indent (level), idx); @@ -7496,10 +7496,16 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, gu off += 1 + len; } else { idx = tvb_get_guintvar (tvb, off+1, &len, pinfo, &ei_wbxml_oversized_uintvar); - proto_tree_add_bytes_format(tree, hf_wbxml_opaque_data, tvb, off, 1 + len + idx, NULL, - " %3d | Tag | T %3d | OPAQUE (Opaque data) | %s(%u bytes of opaque data)", - *level, *codepage_stag, Indent (*level), idx); - off += 1+len+idx; + if ((len <= tvb_len) && (idx < tvb_len)) + { + proto_tree_add_bytes_format(tree, hf_wbxml_opaque_data, tvb, off, 1 + len + idx, NULL, + " %3d | Tag | T %3d | OPAQUE (Opaque data) | %s(%u bytes of opaque data)", + *level, *codepage_stag, Indent (*level), idx); + off += 1+len+idx; + } else { + /* Stop processing as it is impossible to parse now */ + off = tvb_len; + } } } else { /* WBXML 1.0 - RESERVED_2 token (invalid) */ proto_tree_add_none_format(tree, hf_wbxml_reserved_2, tvb, off, 1, |