From e82fa761d671fd4e1c6cdeccd57473fb18982e87 Mon Sep 17 00:00:00 2001
From: Pascal Quantin <pascal.quantin@gmail.com>
Date: Wed, 7 Jun 2017 14:18:52 +0200
Subject: RANAP: prevent heuristic dissector from adding info to tree or
 triggering exception

Bug: 13770
Change-Id: I6ba5dfb5098ea1a4d4d1e2d740382326c7d58f8c
Reviewed-on: https://code.wireshark.org/review/22006
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Ivan Nardi <nardi.ivan@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
---
 epan/dissectors/asn1/ranap/packet-ranap-template.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

(limited to 'epan/dissectors/asn1/ranap/packet-ranap-template.c')

diff --git a/epan/dissectors/asn1/ranap/packet-ranap-template.c b/epan/dissectors/asn1/ranap/packet-ranap-template.c
index 6dcc0b92de..ef7c2d7de0 100644
--- a/epan/dissectors/asn1/ranap/packet-ranap-template.c
+++ b/epan/dissectors/asn1/ranap/packet-ranap-template.c
@@ -267,12 +267,9 @@ dissect_sccp_ranap_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
 {
   guint8 temp;
   guint16 word;
-  asn1_ctx_t asn1_ctx;
   guint length;
   int offset;
 
-  asn1_ctx_init(&asn1_ctx, ASN1_ENC_PER, TRUE, pinfo);
-
   /* Is it a ranap packet?
    *
    * 4th octet should be the length of the rest of the message.
@@ -285,9 +282,21 @@ dissect_sccp_ranap_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
   #define LENGTH_OFFSET 3
   #define MSG_TYPE_OFFSET 1
   if (tvb_captured_length(tvb) < RANAP_MSG_MIN_LENGTH) { return FALSE; }
-  /* Read the length NOTE offset in bits */
-  offset = dissect_per_length_determinant(tvb, LENGTH_OFFSET<<3, &asn1_ctx, tree, -1, &length, NULL);
-  offset = offset>>3;
+  /* compute aligned PER length determinant without calling dissect_per_length_determinant()
+     to avoid exceptions and info added to tree, info column and expert info */
+  offset = LENGTH_OFFSET;
+  length = tvb_get_guint8(tvb, offset);
+  offset += 1;
+  if ((length & 0x80) == 0x80) {
+    if ((length & 0xc0) == 0x80) {
+      length &= 0x3f;
+      length <<= 8;
+      length += tvb_get_guint8(tvb, offset);
+      offset += 1;
+    } else {
+      length = 0;
+    }
+  }
   if (length!= (tvb_reported_length(tvb) - offset)){
     return FALSE;
   }
-- 
cgit v1.2.1