1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
Description: Fix for BER stack overflow backported from Wireshark 1.2.12
diff -urN wireshark-1.2.11/epan/dissectors/packet-ber.c wireshark-1.2.12/epan/dissectors/packet-ber.c
--- wireshark-1.2.11/epan/dissectors/packet-ber.c 2010-08-29 18:24:47.000000000 -0700
+++ wireshark-1.2.12/epan/dissectors/packet-ber.c 2010-10-11 11:29:27.000000000 -0700
@@ -206,6 +206,14 @@
gpointer user_data;
} da_data;
+/*
+ * Set a limit on recursion so we don't blow away the stack. Another approach
+ * would be to remove recursion completely but then we'd exhaust CPU+memory
+ * trying to read a hellabyte of nested indefinite lengths.
+ * XXX - Max nesting in the ASN.1 plugin is 32. Should they match?
+ */
+#define BER_MAX_NESTING 500
+
void
dissect_ber_oid_NULL_callback(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_)
@@ -373,7 +381,8 @@
return offset;
}
-int dissect_unknown_ber(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree)
+static int
+try_dissect_unknown_ber(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, gint nest_level)
{
int start_offset;
gint8 class;
@@ -389,6 +398,11 @@
proto_item *pi, *cause;
asn1_ctx_t asn1_ctx;
+ if (nest_level > BER_MAX_NESTING) {
+ /* Assume that we have a malformed packet. */
+ THROW(ReportedBoundsError);
+ }
+
start_offset=offset;
asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
@@ -449,7 +463,7 @@
}
item = proto_tree_add_item(tree, hf_ber_unknown_BER_OCTETSTRING, tvb, offset, len, FALSE);
next_tree = proto_item_add_subtree(item, ett_ber_octet_string);
- offset = dissect_unknown_ber(pinfo, tvb, offset, next_tree);
+ offset = try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1);
} else {
offset = dissect_ber_octet_string(FALSE, &asn1_ctx, tree, tvb, start_offset, hf_ber_unknown_OCTETSTRING, NULL);
}
@@ -562,7 +576,7 @@
next_tree=proto_item_add_subtree(item, ett_ber_SEQUENCE);
}
while(offset < (int)(start_offset + len + hdr_len))
- offset=dissect_unknown_ber(pinfo, tvb, offset, next_tree);
+ offset=try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1);
break;
case BER_CLASS_APP:
case BER_CLASS_CON:
@@ -573,7 +587,7 @@
next_tree=proto_item_add_subtree(item, ett_ber_SEQUENCE);
}
while(offset < (int)(start_offset + len + hdr_len))
- offset=dissect_unknown_ber(pinfo, tvb, offset, next_tree);
+ offset=try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1);
break;
}
@@ -584,6 +598,11 @@
return offset;
}
+int
+dissect_unknown_ber(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree)
+{
+ return try_dissect_unknown_ber(pinfo, tvb, offset, tree, 1);
+}
int
call_ber_oid_callback(const char *oid, tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree)
@@ -764,13 +783,6 @@
*/
/* 8.1.3 Length octets */
-/*
- * Set a limit on recursion so we don't blow away the stack. Another approach
- * would be to remove recursion completely but then we'd exhaust CPU+memory
- * trying to read a hellabyte of nested indefinite lengths.
- * XXX - Max nesting in the ASN.1 plugin is 32. Should they match?
- */
-#define BER_MAX_INDEFINITE_NESTING 500
static int
try_get_ber_length(tvbuff_t *tvb, int offset, guint32 *length, gboolean *ind, gint nest_level) {
guint8 oct, len;
@@ -784,7 +796,7 @@
tmp_length = 0;
tmp_ind = FALSE;
- if (nest_level > BER_MAX_INDEFINITE_NESTING) {
+ if (nest_level > BER_MAX_NESTING) {
/* Assume that we have a malformed packet. */
THROW(ReportedBoundsError);
}
|
