Wireshark-bugs: [Wireshark-bugs] [Bug 6687] packetBB dissector bug: More than 1000000 items in t

Date: Thu, 29 Dec 2011 10:25:48 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6687

Martin Kaiser <wireshark@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |wireshark@xxxxxxxxx

--- Comment #1 from Martin Kaiser <wireshark@xxxxxxxxx> 2011-12-29 10:25:47 PST ---
I've had a quick look though I'm not really familiar with that protocol.

The problem is in dissect_packetbb(), offset remains 1 in the while loop.
In dissect_pbb_message(), header, tlvblock and (optional) address blocks are
dissected. After the header, offset is already larger than the entire message.
dissect_pbb_tlvblock() tries to correct this by setting offset to 1 :-(

My understanding is that a tlvblock is mandatory
http://tools.ietf.org/html/rfc5444#section-5.2

When there's an overflow before the tlvblock, dissect_pbb_tlvblock() should not
be called.

The attached patch corrects this.

Best regards,

  Martin

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.