Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

[PATCH] babel: fix infinite loop with TLVs of length 0.

From: Juliusz Chroboczek <jch () irif fr>
Date: Tue, 5 Nov 2019 15:25:07 +0100
From: Sawssen Hadded <saw.hadded () gmail com>

Sublen was misinterpreted -- it's the length of the value, not of the TLV.

Fixes #15856.

Change-Id: I8090425abd83654304a3539ac2ea6bc3f107ef5c
---
 epan/dissectors/packet-babel.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/epan/dissectors/packet-babel.c b/epan/dissectors/packet-babel.c
index 141a70ed90..361d4584f5 100644
--- a/epan/dissectors/packet-babel.c
+++ b/epan/dissectors/packet-babel.c
@@ -264,7 +264,7 @@ dissect_babel_subtlvs(tvbuff_t * tvb, packet_info *pinfo, guint8 type,
 
         sub_item =
           proto_tree_add_uint_format(message_tree, hf_babel_subtlv,
-                                     tvb, beg, sublen, subtype,
+                                     tvb, beg, sublen+2, subtype,
                                      "Sub TLV %s (%u)",
                                      val_to_str_const(subtype, subtlvs, "unknown"),
                                      subtype);
@@ -280,7 +280,7 @@ dissect_babel_subtlvs(tvbuff_t * tvb, packet_info *pinfo, guint8 type,
         }
 
         if(subtype == MESSAGE_SUB_PAD1){
-            beg += sublen;
+            beg += 1;
             continue;
         }
         if ((MANDATORY_FLAG & subtype) != 0) {
-- 
2.23.0

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: