Skip to content
Permalink
Browse files Browse the repository at this point in the history
SPOOLSS: Try to avoid an infinite loop.
Use tvb_reported_length_remaining in dissect_spoolss_uint16uni. Make
sure our offset always increments in dissect_spoolss_keybuffer.

Change-Id: I7017c9685bb2fa27161d80a03b8fca4ef630e793
Reviewed-on: https://code.wireshark.org/review/14687
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
  • Loading branch information
geraldcombs authored and mmann78 committed Mar 30, 2016
1 parent 782191f commit b4d16b4
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions epan/dissectors/packet-dcerpc-spoolss.c
Expand Up @@ -1090,7 +1090,7 @@ dissect_spoolss_uint16uni(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,

/* Get remaining data in buffer as a string */

remaining = tvb_captured_length_remaining(tvb, offset);
remaining = tvb_reported_length_remaining(tvb, offset);
if (remaining <= 0) {
if (data)
*data = g_strdup("");
Expand Down Expand Up @@ -6198,9 +6198,10 @@ dissect_spoolss_keybuffer(tvbuff_t *tvb, int offset, packet_info *pinfo,
end_offset = tvb_reported_length_remaining(tvb, offset) + 1;
}

while (offset < end_offset)
while (offset > 0 && offset < end_offset) {
offset = dissect_spoolss_uint16uni(
tvb, offset, pinfo, tree, drep, NULL, hf_keybuffer);
}

return offset;
}
Expand Down

0 comments on commit b4d16b4

Please sign in to comment.