From 1ca0f4f8af0f42d02064033f4553483a046e0bb5 Mon Sep 17 00:00:00 2001 From: Evan Huus Date: Fri, 1 Mar 2013 19:17:13 +0000 Subject: [PATCH 03/10] Backport the workaround with manual intervention: ------------------------------------------------------------------------ r47979 | eapache | 2013-03-01 14:08:30 -0500 (Fri, 01 Mar 2013) | 3 lines Add a much better workaround for bug #8382 and some expert info. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8382 ------------------------------------------------------------------------ The actual fix (when it comes) will be too intrusive to backport. svn path=/trunk-1.8/; revision=47981 --- epan/dissectors/packet-ms-mms.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/epan/dissectors/packet-ms-mms.c b/epan/dissectors/packet-ms-mms.c index 5acd1e6..77bf737 100644 --- a/epan/dissectors/packet-ms-mms.c +++ b/epan/dissectors/packet-ms-mms.c @@ -41,6 +41,7 @@ #include #include #include +#include static dissector_handle_t msmms_handle; static gint proto_msmms = -1; @@ -815,6 +816,7 @@ static void dissect_client_transport_info(tvbuff_t *tvb, packet_info *pinfo, pro static void dissect_server_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint offset) { + proto_item *ti; guint32 server_version_length = 0; guint32 tool_version_length = 0; guint32 download_update_player_length = 0; @@ -843,23 +845,39 @@ static void dissect_server_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *t /* Length of server version */ server_version_length = tvb_get_letohl(tvb, offset); - proto_tree_add_item(tree, hf_msmms_command_server_version_length, tvb, offset, 4, ENC_LITTLE_ENDIAN); + ti = proto_tree_add_item(tree, hf_msmms_command_server_version_length, tvb, offset, 4, ENC_LITTLE_ENDIAN); offset += 4; + if (server_version_length > (guint) tvb_reported_length_remaining(tvb, offset)) { + expert_add_info_format(pinfo, ti, PI_MALFORMED, PI_ERROR, "Invalid string length"); + server_version_length = 0; + } /* Length of tool version */ tool_version_length = tvb_get_letohl(tvb, offset); - proto_tree_add_item(tree, hf_msmms_command_tool_version_length, tvb, offset, 4, ENC_LITTLE_ENDIAN); + ti = proto_tree_add_item(tree, hf_msmms_command_tool_version_length, tvb, offset, 4, ENC_LITTLE_ENDIAN); offset += 4; + if (tool_version_length > (guint) tvb_reported_length_remaining(tvb, offset)) { + expert_add_info_format(pinfo, ti, PI_MALFORMED, PI_ERROR, "Invalid string length"); + tool_version_length = 0; + } /* Length of download update player URL */ download_update_player_length = tvb_get_letohl(tvb, offset); - proto_tree_add_item(tree, hf_msmms_command_update_url_length, tvb, offset, 4, ENC_LITTLE_ENDIAN); + ti = proto_tree_add_item(tree, hf_msmms_command_update_url_length, tvb, offset, 4, ENC_LITTLE_ENDIAN); offset += 4; + if (download_update_player_length > (guint) tvb_reported_length_remaining(tvb, offset)) { + expert_add_info_format(pinfo, ti, PI_MALFORMED, PI_ERROR, "Invalid string length"); + download_update_player_length = 0; + } /* Length of password encryption type */ password_encryption_type_length = tvb_get_letohl(tvb, offset); - proto_tree_add_item(tree, hf_msmms_command_password_type_length, tvb, offset, 4, ENC_LITTLE_ENDIAN); + ti = proto_tree_add_item(tree, hf_msmms_command_password_type_length, tvb, offset, 4, ENC_LITTLE_ENDIAN); offset += 4; + if (password_encryption_type_length > (guint) tvb_reported_length_remaining(tvb, offset)) { + expert_add_info_format(pinfo, ti, PI_MALFORMED, PI_ERROR, "Invalid string length"); + password_encryption_type_length = 0; + } /* Server version string */ if (server_version_length > 1) -- 1.7.10.4