bpv6: Fix possible infinite loop

display_extension_block is supposed to return the current offset, not the number of bytes remaining. The number of bytes remaining can be less than the current offset and cause an infinite loop. In the case of an error, set lastheader and return the current offset in order to break out of the main processing loop. Fix #18711.
wireshark · Dec 13, 2022 · 2fd04b6 · 2fd04b6
1 parent 73866d3
commit 2fd04b6
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/epan/dissectors/packet-bpv6.c b/epan/dissectors/packet-bpv6.c
@@ -1704,8 +1704,8 @@ display_extension_block(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, int
             proto_tree_add_int(result_tree, hf_block_ciphersuite_result_item_length, tvb, offset, sdnv_length, result_item_length);
             if (ei) {
                 proto_tree_add_expert(result_tree, pinfo, ei, tvb, offset, -1);
-                offset = tvb_reported_length_remaining(tvb, offset);
-                break;
+                *lastheader = TRUE;
+                return offset;
             }
             offset += sdnv_length;