Skip to content

Commit b8e0d41

Browse files
committed
WBXML: add a basic sanity check for offset overflow
This is a naive approach allowing to detact that something went wrong, without the need to replace all proto_tree_add_text() calls as what was done in master-2.0 branch. Bug: 12408 Change-Id: Ia14905005e17ae322c2fc639ad5e491fa08b0108 Reviewed-on: https://code.wireshark.org/review/15310 Reviewed-by: Michael Mann <mmann78@netscape.net> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
1 parent 0a8a44c commit b8e0d41

File tree

1 file changed

+24
-4
lines changed

1 file changed

+24
-4
lines changed

Diff for: epan/dissectors/packet-wbxml.c

+24-4
Original file line numberDiff line numberDiff line change
@@ -7304,7 +7304,7 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset,
73047304
const wbxml_decoding *map)
73057305
{
73067306
guint32 tvb_len = tvb_reported_length (tvb);
7307-
guint32 off = offset;
7307+
guint32 off = offset, last_off;
73087308
guint32 len;
73097309
guint str_len;
73107310
guint32 ent;
@@ -7323,6 +7323,7 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset,
73237323
tag_save_literal = NULL; /* Prevents compiler warning */
73247324

73257325
DebugLog(("parse_wbxml_tag_defined (level = %u, offset = %u)\n", *level, offset));
7326+
last_off = off;
73267327
while (off < tvb_len) {
73277328
peek = tvb_get_guint8 (tvb, off);
73287329
DebugLog(("STAG: (top of while) level = %3u, peek = 0x%02X, off = %u, tvb_len = %u\n", *level, peek, off, tvb_len));
@@ -7694,6 +7695,10 @@ parse_wbxml_tag_defined (proto_tree *tree, tvbuff_t *tvb, guint32 offset,
76947695
/* TODO: Do I have to reset code page here? */
76957696
}
76967697
} /* if (tag & 0x3F) >= 5 */
7698+
if (off < last_off) {
7699+
THROW(ReportedBoundsError);
7700+
}
7701+
last_off = off;
76977702
} /* while */
76987703
DebugLog(("STAG: level = %u, Return: len = %u (end of function body)\n", *level, off - offset));
76997704
return (off - offset);
@@ -7711,7 +7716,7 @@ parse_wbxml_tag (proto_tree *tree, tvbuff_t *tvb, guint32 offset,
77117716
guint8 *codepage_stag, guint8 *codepage_attr)
77127717
{
77137718
guint32 tvb_len = tvb_reported_length (tvb);
7714-
guint32 off = offset;
7719+
guint32 off = offset, last_off;
77157720
guint32 len;
77167721
guint str_len;
77177722
guint32 ent;
@@ -7732,6 +7737,7 @@ parse_wbxml_tag (proto_tree *tree, tvbuff_t *tvb, guint32 offset,
77327737
tag_save_literal = NULL; /* Prevents compiler warning */
77337738

77347739
DebugLog(("parse_wbxml_tag (level = %u, offset = %u)\n", *level, offset));
7740+
last_off = off;
77357741
while (off < tvb_len) {
77367742
peek = tvb_get_guint8 (tvb, off);
77377743
DebugLog(("STAG: (top of while) level = %3u, peek = 0x%02X, off = %u, tvb_len = %u\n", *level, peek, off, tvb_len));
@@ -8091,6 +8097,10 @@ parse_wbxml_tag (proto_tree *tree, tvbuff_t *tvb, guint32 offset,
80918097
/* TODO: Do I have to reset code page here? */
80928098
}
80938099
} /* if (tag & 0x3F) >= 5 */
8100+
if (off < last_off) {
8101+
THROW(ReportedBoundsError);
8102+
}
8103+
last_off = off;
80948104
} /* while */
80958105
DebugLog(("STAG: level = %u, Return: len = %u (end of function body)\n",
80968106
*level, off - offset));
@@ -8126,7 +8136,7 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb,
81268136
const wbxml_decoding *map)
81278137
{
81288138
guint32 tvb_len = tvb_reported_length (tvb);
8129-
guint32 off = offset;
8139+
guint32 off = offset, last_off;
81308140
guint32 len;
81318141
guint str_len;
81328142
guint32 ent;
@@ -8138,6 +8148,7 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb,
81388148
DebugLog(("parse_wbxml_attr_defined (level = %u, offset = %u)\n",
81398149
level, offset));
81408150
/* Parse attributes */
8151+
last_off = off;
81418152
while (off < tvb_len) {
81428153
peek = tvb_get_guint8 (tvb, off);
81438154
DebugLog(("ATTR: (top of while) level = %3u, peek = 0x%02X, "
@@ -8330,6 +8341,10 @@ parse_wbxml_attribute_list_defined (proto_tree *tree, tvbuff_t *tvb,
83308341
off++;
83318342
}
83328343
}
8344+
if (off < last_off) {
8345+
THROW(ReportedBoundsError);
8346+
}
8347+
last_off = off;
83338348
} /* End WHILE */
83348349
DebugLog(("ATTR: level = %u, Return: len = %u (end of function body)\n",
83358350
level, off - offset));
@@ -8350,7 +8365,7 @@ parse_wbxml_attribute_list (proto_tree *tree, tvbuff_t *tvb,
83508365
guint32 offset, guint32 str_tbl, guint8 level, guint8 *codepage_attr)
83518366
{
83528367
guint32 tvb_len = tvb_reported_length (tvb);
8353-
guint32 off = offset;
8368+
guint32 off = offset, last_off;
83548369
guint32 len;
83558370
guint str_len;
83568371
guint32 ent;
@@ -8359,6 +8374,7 @@ parse_wbxml_attribute_list (proto_tree *tree, tvbuff_t *tvb,
83598374

83608375
DebugLog(("parse_wbxml_attr (level = %u, offset = %u)\n", level, offset));
83618376
/* Parse attributes */
8377+
last_off = off;
83628378
while (off < tvb_len) {
83638379
peek = tvb_get_guint8 (tvb, off);
83648380
DebugLog(("ATTR: (top of while) level = %3u, peek = 0x%02X, "
@@ -8516,6 +8532,10 @@ parse_wbxml_attribute_list (proto_tree *tree, tvbuff_t *tvb,
85168532
off++;
85178533
}
85188534
}
8535+
if (off < last_off) {
8536+
THROW(ReportedBoundsError);
8537+
}
8538+
last_off = off;
85198539
} /* End WHILE */
85208540
DebugLog(("ATTR: level = %u, Return: len = %u (end of function body)\n",
85218541
level, off - offset));

0 commit comments

Comments
 (0)