From e47b68b578db306f2c8a5681359edebab2e2c9d3 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Fri, 30 Jun 2017 21:15:21 +0200
Subject: ospf: workaround Opaque Information with bad TLV

The linked pcap seems to contain a TLV (type=255 (Unknown)) followed by
four bytes (00 00 00 14, interpreted as TLV (type=0, length=20)). That
is bogus, so stop dissecting if no more data is available.

While at it, implement alignment at four octets.

Bug: 13823
Change-Id: Iacf863c0c6605db40e87f63a950d61c1db6debaa
Reviewed-on: https://code.wireshark.org/review/22488
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 epan/dissectors/packet-ospf.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

(limited to 'epan')

diff --git a/epan/dissectors/packet-ospf.c b/epan/dissectors/packet-ospf.c
index 5c265a245d..1199e7b797 100644
--- a/epan/dissectors/packet-ospf.c
+++ b/epan/dissectors/packet-ospf.c
@@ -2391,14 +2391,15 @@ dissect_ospf_lsa_opaque_ri(tvbuff_t *tvb, int offset, proto_tree *tree,
 {
     proto_tree *ri_tree;
     proto_tree *tlv_tree;
+    int offset_end = offset + length;
 
     int tlv_type;
-    int tlv_length;
+    guint tlv_length;
 
     ri_tree = proto_tree_add_subtree(tree, tvb, offset, length,
                              ett_ospf_lsa_opaque_ri, NULL, "Opaque Router Information LSA");
 
-    while (length > 0) {
+    while (offset < offset_end) {
         tlv_type = tvb_get_ntohs(tvb, offset);
         tlv_length = tvb_get_ntohs(tvb, offset + 2);
 
@@ -2427,7 +2428,7 @@ dissect_ospf_lsa_opaque_ri(tvbuff_t *tvb, int offset, proto_tree *tree,
             break;
 
         case OPAQUE_TLV_SA:{
-            int sa_number;
+            guint sa_number;
             tlv_tree = proto_tree_add_subtree_format(ri_tree, tvb, offset, tlv_length+4,
                                     ett_ospf_lsa_sa_tlv, NULL, "%s", val_to_str_const(tlv_type, ri_tlv_type_vals, "Unknown Opaque RI LSA TLV"));
 
@@ -2441,6 +2442,10 @@ dissect_ospf_lsa_opaque_ri(tvbuff_t *tvb, int offset, proto_tree *tree,
             break;
             }
         default:
+            if (tlv_length > (guint)(offset_end - offset)) {
+                /* Invalid length, probably not TLV. */
+                return;
+            }
             tlv_tree = proto_tree_add_subtree_format(ri_tree, tvb, offset, tlv_length+4,
                                     ett_ospf_lsa_unknown_tlv, NULL, "%s", val_to_str_const(tlv_type, ri_tlv_type_vals, "Unknown Opaque RI LSA TLV"));
 
@@ -2453,8 +2458,11 @@ dissect_ospf_lsa_opaque_ri(tvbuff_t *tvb, int offset, proto_tree *tree,
 
         }
 
-        offset += tlv_length + 4;
-        length -= tlv_length + 4;
+        /*
+         * RFC 7770, section 2.3: 4-octet aligned, but type, length and padding
+         * is not included in the length.
+         * */
+        offset += 4 + ((tlv_length + 3) & ~3);
     }
 }
 
-- 
cgit v1.2.1