1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
$NetBSD: patch-ae,v 1.1.2.2 2010/09/28 05:36:59 spz Exp $
Fix for SA41535 taken from here:
http://anonsvn.wireshark.org/viewvc?view=rev&revision=34111
--- epan/dissectors/packet-ber.c.orig 2010-08-29 23:17:07.000000000 +0100
+++ epan/dissectors/packet-ber.c 2010-09-25 11:53:33.000000000 +0100
@@ -200,6 +200,14 @@
{ 0, NULL }
};
+/*
+ * Set a limit on recursion so we don't blow away the stack. Another approach
+ * would be to remove recursion completely but then we'd exhaust CPU+memory
+ * trying to read a hellabyte of nested indefinite lengths.
+ * XXX - Max nesting in the ASN.1 plugin is 32. Should they match?
+ */
+#define BER_MAX_NESTING 500
+
static const true_false_string ber_real_binary_vals = {
"Binary encoding",
"Decimal encoding"
@@ -422,7 +430,8 @@
return offset;
}
-int dissect_unknown_ber(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree)
+static int
+try_dissect_unknown_ber(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, gint nest_level)
{
int start_offset;
gint8 class;
@@ -438,6 +447,11 @@
proto_item *pi, *cause;
asn1_ctx_t asn1_ctx;
+ if (nest_level > BER_MAX_NESTING) {
+ /* Assume that we have a malformed packet. */
+ THROW(ReportedBoundsError);
+ }
+
start_offset=offset;
asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
@@ -500,7 +514,7 @@
}
item = proto_tree_add_item(tree, hf_ber_unknown_BER_OCTETSTRING, tvb, offset, len, FALSE);
next_tree = proto_item_add_subtree(item, ett_ber_octet_string);
- offset = dissect_unknown_ber(pinfo, tvb, offset, next_tree);
+ offset = try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1);
}
}
if (!is_decoded_as) {
@@ -585,7 +599,7 @@
is_decoded_as = TRUE;
proto_item_append_text (pi, "[BER encoded]");
next_tree = proto_item_add_subtree(pi, ett_ber_primitive);
- offset = dissect_unknown_ber(pinfo, tvb, offset, next_tree);
+ offset = try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1);
}
}
@@ -632,7 +646,7 @@
next_tree=proto_item_add_subtree(item, ett_ber_SEQUENCE);
}
while(offset < (int)(start_offset + len + hdr_len))
- offset=dissect_unknown_ber(pinfo, tvb, offset, next_tree);
+ offset=try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1);
break;
case BER_CLASS_APP:
case BER_CLASS_CON:
@@ -643,7 +657,7 @@
next_tree=proto_item_add_subtree(item, ett_ber_SEQUENCE);
}
while(offset < (int)(start_offset + len + hdr_len))
- offset=dissect_unknown_ber(pinfo, tvb, offset, next_tree);
+ offset=try_dissect_unknown_ber(pinfo, tvb, offset, next_tree, nest_level+1);
break;
}
@@ -654,6 +668,11 @@
return offset;
}
+int
+dissect_unknown_ber(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree)
+{
+ return try_dissect_unknown_ber(pinfo, tvb, offset, tree, 1);
+}
int
call_ber_oid_callback(const char *oid, tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree)
@@ -853,13 +872,6 @@
*/
/* 8.1.3 Length octets */
-/*
- * Set a limit on recursion so we don't blow away the stack. Another approach
- * would be to remove recursion completely but then we'd exhaust CPU+memory
- * trying to read a hellabyte of nested indefinite lengths.
- * XXX - Max nesting in the ASN.1 plugin is 32. Should they match?
- */
-#define BER_MAX_INDEFINITE_NESTING 500
static int
try_get_ber_length(tvbuff_t *tvb, int offset, guint32 *length, gboolean *ind, gint nest_level) {
guint8 oct, len;
@@ -873,7 +885,7 @@
tmp_length = 0;
tmp_ind = FALSE;
- if (nest_level > BER_MAX_INDEFINITE_NESTING) {
+ if (nest_level > BER_MAX_NESTING) {
/* Assume that we have a malformed packet. */
THROW(ReportedBoundsError);
}
|