Ethereal-dev: [Ethereal-dev] 0.8.12: infinite loop with invalid icmp6 option values

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Santeri Paavolainen <santtu@xxxxxxx>
Date: Thu, 12 Oct 2000 13:50:33 +0300 (EEST)
The packet-icmp6.c dissector can get into an infinite loop if a packet it
receives has ICMPv6 options with length field of zero (0).

This patch fixes the problem.

-- 
santtu@xxxxxx                    I have become death, destroyer of the worlds.

*** ethereal-0.8.12-orig/packet-icmpv6.c	Tue Sep 12 23:25:18 2000
--- ethereal-0.8.12/packet-icmpv6.c	Thu Oct 12 12:59:53 2000
***************
*** 1,5 ****
  /* packet-icmpv6.c
!  * Routines for ICMPv6 packet disassembly 
   *
   * $Id: packet-icmpv6.c,v 1.25 2000/08/29 14:17:12 itojun Exp $
   *
--- 1,5 ----
  /* packet-icmpv6.c
!  * Routines for ICMPv6 packet disassembly
   *
   * $Id: packet-icmpv6.c,v 1.25 2000/08/29 14:17:12 itojun Exp $
   *
***************
*** 7,23 ****
   * By Gerald Combs <gerald@xxxxxxxx>
   * Copyright 1998 Gerald Combs
   *
!  * 
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
   * as published by the Free Software Foundation; either version 2
   * of the License, or (at your option) any later version.
!  * 
   * This program is distributed in the hope that it will be useful,
   * but WITHOUT ANY WARRANTY; without even the implied warranty of
   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   * GNU General Public License for more details.
!  * 
   * You should have received a copy of the GNU General Public License
   * along with this program; if not, write to the Free Software
   * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
--- 7,23 ----
   * By Gerald Combs <gerald@xxxxxxxx>
   * Copyright 1998 Gerald Combs
   *
!  *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
   * as published by the Free Software Foundation; either version 2
   * of the License, or (at your option) any later version.
!  *
   * This program is distributed in the hope that it will be useful,
   * but WITHOUT ANY WARRANTY; without even the implied warranty of
   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   * GNU General Public License for more details.
!  *
   * You should have received a copy of the GNU General Public License
   * along with this program; if not, write to the Free Software
   * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
***************
*** 208,213 ****
--- 208,221 ----
        }
      }
  
+     if (opt->nd_opt_len == 0) {
+         proto_tree_add_text(icmp6opt_tree, NullTVB,
+                             offset + offsetof(struct nd_opt_hdr, nd_opt_len), 1,
+                             "Invalid option length: %d",
+                             opt->nd_opt_len);
+         return;
+     }
+ 
      offset += (opt->nd_opt_len << 3);
      goto again;
  }
***************
*** 1019,1022 ****
  {
    old_dissector_add("ip.proto", IP_PROTO_ICMPV6, dissect_icmpv6);
  }
- 
--- 1027,1029 ----