Fix the infinite loop fuzz failure reported in
authorJeff Morriss <jeff.morriss.ws@gmail.com>
Sun, 30 Jun 2013 16:28:52 +0000 (16:28 -0000)
committerJeff Morriss <jeff.morriss.ws@gmail.com>
Sun, 30 Jun 2013 16:28:52 +0000 (16:28 -0000)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8875 :

Don't let a negative item_length decrement our offset.

svn path=/trunk/; revision=50258

epan/dissectors/packet-btobex.c

index 3726241b702fb062a55d0cb254e5c34146094870..3304ff540d4d8e27490cfbd0095d0d85fda3f6e9 100644 (file)
@@ -1103,12 +1103,11 @@ dissect_headers(proto_tree *tree, tvbuff_t *tvb, int offset, packet_info *pinfo,
                         proto_item_append_text(hdr_tree, " (\"%s\")", str);
 
                         col_append_fstr(pinfo->cinfo, COL_INFO, " \"%s\"", str);
+                        offset += item_length - 3;
                     }
                     else {
                         col_append_str(pinfo->cinfo, COL_INFO, " \"\"");
                     }
-
-                    offset += item_length - 3;
                 }
                 break;
             case 0x40:  /* byte sequence */
@@ -1225,7 +1224,8 @@ dissect_headers(proto_tree *tree, tvbuff_t *tvb, int offset, packet_info *pinfo,
                     col_append_fstr(pinfo->cinfo, COL_INFO, " \"%s\"", tvb_get_ephemeral_string(tvb, offset,item_length - 3));
                 }
 
-                offset += item_length - 3;
+                if (item_length >= 3) /* prevent infinite loops */
+                    offset += item_length - 3;
                 break;
             case 0x80:  /* 1 byte */
                 proto_item_append_text(hdr_tree, " (%i)", tvb_get_ntohl(tvb, offset));