Pascal Quantin
changed
bug 12686
| What |
Removed |
Added |
| Status |
UNCONFIRMED
|
CONFIRMED
|
| CC |
|
[email protected]
|
| Ever confirmed |
|
1
|
Comment # 1
on bug 12686
from Pascal Quantin
Function decode_gtp_nsapi does a call to proto_tree_add_subtree with a lenght
of 10 bytes while there are only 2 bytes in the IE:
ext_tree = proto_tree_add_subtree(tree, tvb, offset, 10,
ett_gtp_ies[GTP_EXT_NSAPI], &te,
val_to_str_ext_const(GTP_EXT_NSAPI, >p_val_ext,
"Unknown message"));
nsapi = tvb_get_guint8(tvb, offset + 1) & 0x0F;
proto_tree_add_item(ext_tree, hf_gtp_nsapi, tvb, offset + 1, 1,
ENC_BIG_ENDIAN);
proto_item_append_text(te, ": %u",nsapi);
return 2;
Since I44cb3ce8e647ae2816d5ffa95435068c435a1e5c, we are checking that there is
no out of bounds access while previously we were not.
The code should be instead:
ext_tree = proto_tree_add_subtree(tree, tvb, offset, 2,
ett_gtp_ies[GTP_EXT_NSAPI], &te,
val_to_str_ext_const(GTP_EXT_NSAPI, >p_val_ext,
"Unknown message"));
I do not have access to a development machine so as to push the fix myself.
You are receiving this mail because:
- You are watching all bug changes.