Wireshark mailing list archives

Re: [PATCH] babel: fix infinite loop with TLVs of length 0.

From: Pascal Quantin <pascal () wireshark org>
Date: Tue, 5 Nov 2019 14:32:04 +0100

Hi Juliusz,

do you intend to push the patch set to our Gerrit as explained in
https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcContribute.html ?
Our workflow is not using mail based patches.

Presumably we should also remove the test on sublen == 0 I added to fix the
infinite loop (as you stated this was valid). Moreover in case of
MESSAGE_SUB_PAD1, is really beg variable only incremented by 1 and not 2?
(you fetched a sublen field also and highlighted 2 bytes for the
hf_babel_subtlv field).

Best regards,
Pascal.

Le mar. 5 nov. 2019 à 15:25, Juliusz Chroboczek <jch () irif fr> a écrit :

From: Sawssen Hadded <saw.hadded () gmail com>

Sublen was misinterpreted -- it's the length of the value, not of the TLV.

Fixes #15856.

Change-Id: I8090425abd83654304a3539ac2ea6bc3f107ef5c
---
 epan/dissectors/packet-babel.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/epan/dissectors/packet-babel.c
b/epan/dissectors/packet-babel.c
index 141a70ed90..361d4584f5 100644
--- a/epan/dissectors/packet-babel.c
+++ b/epan/dissectors/packet-babel.c
@@ -264,7 +264,7 @@ dissect_babel_subtlvs(tvbuff_t * tvb, packet_info
*pinfo, guint8 type,

         sub_item =
           proto_tree_add_uint_format(message_tree, hf_babel_subtlv,
-                                     tvb, beg, sublen, subtype,
+                                     tvb, beg, sublen+2, subtype,
                                      "Sub TLV %s (%u)",
                                      val_to_str_const(subtype, subtlvs,
"unknown"),
                                      subtype);
@@ -280,7 +280,7 @@ dissect_babel_subtlvs(tvbuff_t * tvb, packet_info
*pinfo, guint8 type,
         }

         if(subtype == MESSAGE_SUB_PAD1){
-            beg += sublen;
+            beg += 1;
             continue;
         }
         if ((MANDATORY_FLAG & subtype) != 0) {
--
2.23.0

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

[PATCH] babel: fix infinite loop with TLVs of length 0. Juliusz Chroboczek (Nov 13)
- Re: [PATCH] babel: fix infinite loop with TLVs of length 0. Pascal Quantin (Nov 05)
  - Re: [PATCH] babel: fix infinite loop with TLVs of length 0. Juliusz Chroboczek (Nov 13)
    - Re: [PATCH] babel: fix infinite loop with TLVs of length 0. Pascal Quantin (Nov 05)
    - Re: [PATCH] babel: fix infinite loop with TLVs of length 0. Pascal Quantin (Nov 13)