From be9bdfda02a2498c6f65122d80e3a8b4235dc7f5 Mon Sep 17 00:00:00 2001 From: Gerald Combs Date: Tue, 21 May 2019 10:41:41 -0700 Subject: [PATCH] Add dissection recursion checks. Enforce a maximum layer limit in call_dissector_work and dissector_try_heuristic. Bug: 15778 Change-Id: I691868e980384b76a64f88de4db5bb7340a7c4aa Reviewed-on: https://code.wireshark.org/review/33301 Petri-Dish: Gerald Combs Tested-by: Petri Dish Buildbot Reviewed-by: Dario Lombardo Reviewed-by: Gerald Combs --- epan/packet.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/epan/packet.c b/epan/packet.c index 62b102da33e..f44809a27e8 100644 --- a/epan/packet.c +++ b/epan/packet.c @@ -729,6 +729,13 @@ static int call_dissector_work_error(dissector_handle_t handle, tvbuff_t *tvb, packet_info *pinfo_arg, proto_tree *tree, void *); +/* + * XXX packet_info.curr_layer_num is a guint8 and *_MAX_RECURSION_DEPTH is + * 100 elsewhere in the code. We should arguably use the same value here, + * but using that makes suite_wslua.case_wslua.test_wslua_dissector_fpm fail. + */ +#define PINFO_LAYER_MAX_RECURSION_DEPTH 500 + static int call_dissector_work(dissector_handle_t handle, tvbuff_t *tvb, packet_info *pinfo_arg, proto_tree *tree, gboolean add_proto_name, void *data) @@ -751,6 +758,7 @@ call_dissector_work(dissector_handle_t handle, tvbuff_t *tvb, packet_info *pinfo saved_proto = pinfo->current_proto; saved_can_desegment = pinfo->can_desegment; saved_layers_len = wmem_list_count(pinfo->layers); + DISSECTOR_ASSERT(saved_layers_len < PINFO_LAYER_MAX_RECURSION_DEPTH); /* * can_desegment is set to 2 by anyone which offers the @@ -2724,6 +2732,8 @@ dissector_try_heuristic(heur_dissector_list_t sub_dissectors, tvbuff_t *tvb, saved_layers_len = wmem_list_count(pinfo->layers); *heur_dtbl_entry = NULL; + DISSECTOR_ASSERT(saved_layers_len < PINFO_LAYER_MAX_RECURSION_DEPTH); + for (entry = sub_dissectors->dissectors; entry != NULL; entry = g_slist_next(entry)) { /* XXX - why set this now and above? */