From 0e0851891559c3aebc35f31c4ba199cfecdbe7e1 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Wed, 8 Feb 2017 00:01:13 +0100
Subject: TLS13: add length validation for Pre-Shared Key Exchange Modes

Add length validation for expert info and add a reference.

Change-Id: Id21916b11ca924b517ea45294798692a010e7541
Reviewed-on: https://code.wireshark.org/review/20009
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
---
 epan/dissectors/packet-ssl-utils.c | 29 ++++++++++++-----------------
 1 file changed, 12 insertions(+), 17 deletions(-)

(limited to 'epan/dissectors/packet-ssl-utils.c')

diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index a48a3fb9c2..e95c9b1817 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -6193,34 +6193,29 @@ ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
 }
 
 static gint
-ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb,
+ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                                  proto_tree *tree, guint32 offset, guint32 offset_end)
 {
-    /*
+    /* https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7
      * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
      *
      * struct {
      *     PskKeyExchangeMode ke_modes<1..255>;
      * } PskKeyExchangeModes;
      */
-    guint32 ke_modes_length, i;
-
-    if (offset_end - offset < 1) {
-        /* XXX expert info, there must be at least 1 ke mode */
-        return offset;
-    }
-
-    proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_psk_ke_modes_len, tvb, offset, 1, ENC_NA, &ke_modes_length);
-    offset += 1;
+    guint32 ke_modes_length, next_offset;
 
-    if (ke_modes_length > offset_end - offset) {
-        ke_modes_length = offset_end - offset;
-        /* XXX expert info: size too large */
+    /* PskKeyExchangeMode ke_modes<1..255> */
+    if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
+                        hf->hf.hs_ext_psk_ke_modes_len, 1, 255)) {
+        return offset_end;
     }
+    offset++;
+    next_offset = offset + ke_modes_length;
 
-    for (i = 0; i < ke_modes_length; i++) {
+    while (offset < next_offset) {
         proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA);
-        offset += 1;
+        offset++;
     }
 
     return offset;
@@ -7517,7 +7512,7 @@ ssl_dissect_hnd_hello_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *t
             offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
             break;
         case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES:
-            offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, ext_tree, offset, next_offset);
+            offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
             break;
         case SSL_HND_HELLO_EXT_DRAFT_VERSION_TLS13:
             proto_tree_add_item(ext_tree, hf->hf.hs_ext_draft_version_tls13,
-- 
cgit v1.2.1