path: root/net/wireshark/patches/patch-ae

$NetBSD: patch-ae,v 1.1.2.2 2010/09/28 05:36:59 spz Exp $

Fix for SA41535 taken from here:

http://anonsvn.wireshark.org/viewvc?view=rev&revision=34111

--- epan/dissectors/packet-ber.c.orig	2010-08-29 23:17:07.000000000 +0100
+++ epan/dissectors/packet-ber.c	2010-09-25 11:53:33.000000000 +0100
@@ -200,6 +200,14 @@
 	{ 0, NULL }
 };
 
+/*
+ * Set a limit on recursion so we don't blow away the stack. Another approach
+ * would be to remove recursion completely but then we'd exhaust CPU+memory
+ * trying to read a hellabyte of nested indefinite lengths.
+ * XXX - Max nesting in the ASN.1 plugin is 32. Should they match?
+ */
+#define BER_MAX_NESTING 500
+
 static const true_false_string ber_real_binary_vals = {
 	"Binary encoding",
 	"Decimal encoding"
@@ -422,7 +430,8 @@
  return offset;
 }
 
-int dissect_unknown_ber(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree)
+static int
+try_dissect_unknown_ber(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, gint nest_level)
 {
 	int start_offset;
 	gint8 class;
@@ -438,6 +447,11 @@
 	proto_item *pi, *cause;
 	asn1_ctx_t asn1_ctx;
 
+	if (nest_level > BER_MAX_NESTING) {
+		/* Assume that we have a malformed packet. */
+		THROW(ReportedBoundsError);
+	}
+
 	start_offset=offset;
 	asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
 
@@ -500,7 +514,7 @@
 					}
 					item = proto_tree_add_item(tree, hf_ber_unknown_BER_OCTETSTRING, tvb, offset, len, FALSE);
 					next_tree = proto_item_add_subtree(item, ett_ber_octet_string);
-					offset = dissect_unknown_ber(pinfo, tvb, offset, next_tree);
+					offset = try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1);
 				}
 			} 
 			if (!is_decoded_as) {
@@ -585,7 +599,7 @@
 		is_decoded_as = TRUE;
 		proto_item_append_text (pi, "[BER encoded]");
 		next_tree = proto_item_add_subtree(pi, ett_ber_primitive);
-		offset = dissect_unknown_ber(pinfo, tvb, offset, next_tree);
+		offset = try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1);
 	      }
 	    }
 
@@ -632,7 +646,7 @@
 			next_tree=proto_item_add_subtree(item, ett_ber_SEQUENCE);
 		}
 		while(offset < (int)(start_offset + len + hdr_len))
-		  offset=dissect_unknown_ber(pinfo, tvb, offset, next_tree);
+		  offset=try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1);
 		break;
 	  case BER_CLASS_APP:
 	  case BER_CLASS_CON:
@@ -643,7 +657,7 @@
 			next_tree=proto_item_add_subtree(item, ett_ber_SEQUENCE);
 		}
 		while(offset < (int)(start_offset + len + hdr_len))
-		  offset=dissect_unknown_ber(pinfo, tvb, offset, next_tree);
+		  offset=try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1);
 		break;
 
 	  }
@@ -654,6 +668,11 @@
 	return offset;
 }
 
+int
+dissect_unknown_ber(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree)
+{
+	return try_dissect_unknown_ber(pinfo, tvb, offset, tree, 1);
+}
 
 int
 call_ber_oid_callback(const char *oid, tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree)
@@ -853,13 +872,6 @@
  */
 /* 8.1.3 Length octets */
 
-/*
- * Set a limit on recursion so we don't blow away the stack. Another approach
- * would be to remove recursion completely but then we'd exhaust CPU+memory
- * trying to read a hellabyte of nested indefinite lengths.
- * XXX - Max nesting in the ASN.1 plugin is 32. Should they match?
- */
-#define BER_MAX_INDEFINITE_NESTING 500
 static int
 try_get_ber_length(tvbuff_t *tvb, int offset, guint32 *length, gboolean *ind, gint nest_level) {
 	guint8 oct, len;
@@ -873,7 +885,7 @@
 	tmp_length = 0;
 	tmp_ind = FALSE;
 
-	if (nest_level > BER_MAX_INDEFINITE_NESTING) {
+	if (nest_level > BER_MAX_NESTING) {
 		/* Assume that we have a malformed packet. */
 		THROW(ReportedBoundsError);
 	}