From 1921740b0bf561941e0906884757831bde989add Mon Sep 17 00:00:00 2001 From: John Thacker Date: Wed, 6 Sep 2023 06:13:23 -0400 Subject: [PATCH] RTPS: Check for signed overflow Origin: https://gitlab.com/wireshark/wireshark/-/commit/1921740b0bf561941e0906884757831bde989add The offset is a signed integer, and we use negative offsets to mean "offset counting from the end of the tvb." That means that we can still have an excessive loop without unsigned overflow or running off the end of the tvb, if the result of adding a large unsigned integer to the offset results in a small negative number. Just check if the result of the addition makes the offset move backwards. Fix #19322 (backported from commit 0de07f8fe4f8e06da9084485e64a24c8f85a20f4) --- epan/dissectors/packet-rtps.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/epan/dissectors/packet-rtps.c b/epan/dissectors/packet-rtps.c index 82ac8f9436b..c152d50dfc6 100644 --- a/epan/dissectors/packet-rtps.c +++ b/epan/dissectors/packet-rtps.c @@ -2474,13 +2474,14 @@ static const fragment_items rtps_frag_items = { "RTPS fragments" }; -static guint32 check_offset_addition(guint32 offset, guint32 value, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb) +static gint check_offset_addition(gint offset, guint32 value, proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb) { - if (offset > G_MAXUINT32 - value) { + gint new_offset = offset + (gint)value; + if (new_offset < offset) { proto_tree_add_expert_format(tree, pinfo, &ei_rtps_value_too_large, tvb, 0, 0, "Offset value too large: %u", value); THROW(ReportedBoundsError); } - return offset + value; + return new_offset; } static void rtps_util_dissect_parameter_header(tvbuff_t * tvb, gint * offset, -- GitLab