Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7801 :

Ensure that the sub-type length is at least 2 (for sub-type and length fields).
Prevents an infinite loop when the length equals 0.

svn path=/trunk/; revision=45337

diff --git a/epan/dissectors/packet-3g-a11.c b/epan/dissectors/packet-3g-a11.c
index ce12ac18367a72a1362f30a3d2a33aa3fc60fd9b..3d875bc3fe20485ac1c0e76740adf5e61a2f2956 100644 (file)
--- a/epan/dissectors/packet-3g-a11.c
+++ b/epan/dissectors/packet-3g-a11.c
@@ -44,6 +44,7 @@
 #include <glib.h>
 
 #include <epan/packet.h>
+#include <epan/expert.h>
 /* Include vendor id translation */
 #include <epan/sminmpec.h>
 
@@ -612,10 +613,11 @@ dissect_a11_radius( tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *t
 
 /* X.S0011-005-D v2.0 Service Option Profile */
 static const gchar *
-dissect_3gpp2_service_option_profile(proto_tree  *tree, tvbuff_t  *tvb, packet_info *pinfo _U_)
+dissect_3gpp2_service_option_profile(proto_tree  *tree, tvbuff_t  *tvb, packet_info *pinfo)
 {
     int    offset = 0;
     guint8 sub_type, sub_type_length;
+    proto_item *pi;
 
     /* Maximum service connections/Link Flows total 32 bit*/
     proto_tree_add_item(tree, hf_a11_serv_opt_prof_max_serv, tvb, offset, 4, ENC_BIG_ENDIAN);
@@ -627,8 +629,12 @@ dissect_3gpp2_service_option_profile(proto_tree  *tree, tvbuff_t  *tvb, packet_i
         sub_type = tvb_get_guint8(tvb,offset);
         proto_tree_add_item(tree, hf_a11_sub_type, tvb, offset, 1, ENC_BIG_ENDIAN);
         offset++;
-        proto_tree_add_item(tree, hf_a11_sub_type_length, tvb, offset, 1, ENC_BIG_ENDIAN);
+        pi = proto_tree_add_item(tree, hf_a11_sub_type_length, tvb, offset, 1, ENC_BIG_ENDIAN);
         offset++;
+        if (sub_type_length < 2) {
+            expert_add_info_format(pinfo, pi, PI_PROTOCOL, PI_WARN, "Sub-Type Length should be at least 2");
+            sub_type_length = 2;
+        }
         if (sub_type==1){
             proto_tree_add_item(tree, hf_a11_serv_opt, tvb, offset, 1, ENC_BIG_ENDIAN);
             offset++;
@@ -672,7 +678,11 @@ dissect_3gpp2_radius_aut_flow_profile_ids(proto_tree  *tree, tvbuff_t  *tvb, pac
 
         proto_tree_add_item(sub_tree, hf_a11_aut_flow_prof_sub_type, tvb, offset, 1, ENC_BIG_ENDIAN);
         offset++;
-        proto_tree_add_item(sub_tree, hf_a11_aut_flow_prof_sub_type_len, tvb, offset, 1, ENC_BIG_ENDIAN);
+        item = proto_tree_add_item(sub_tree, hf_a11_aut_flow_prof_sub_type_len, tvb, offset, 1, ENC_BIG_ENDIAN);
+        if (sub_type_length < 2) {
+            expert_add_info_format(pinfo, item, PI_PROTOCOL, PI_WARN, "Sub-Type Length should be at least 2");
+            sub_type_length = 2;
+        }
         offset++;
         proto_tree_add_item(sub_tree, hf_a11_aut_flow_prof_sub_type_value, tvb, offset, 2, ENC_BIG_ENDIAN);