From 40ed7e814bce9d27cc7a43a3c9612d25692be716 Mon Sep 17 00:00:00 2001 From: John Thacker Date: Sat, 30 Mar 2024 08:07:26 -0400 Subject: [PATCH] Mongo: Ensure the offset advances The MongoDB Wire Protocol uses _signed_ 32 bit integers for lengths. dissect_bson_document checks for bogus values and ensures that a non-negative (and at least 5) size is returned, but we need to make sure to use that return value instead of trusting the value read from the packet in dissect_op_msg_section. Fix #19726 (cherry picked from commit 38c0efcee8d22d922e446888b268effc3ccf725f) --- epan/dissectors/packet-mongo.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c index b5a8bbffc2a..8e5f6370fbf 100644 --- a/epan/dissectors/packet-mongo.c +++ b/epan/dissectors/packet-mongo.c @@ -799,7 +799,10 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr switch (e_type) { case KIND_BODY: - dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body); + section_len = dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body); + /* If section_len is bogus (e.g., negative), dissect_bson_document sets + * an expert info and can return a different value than read above. + */ break; case KIND_DOCUMENT_SEQUENCE: { gint32 dsi_length; @@ -808,6 +811,9 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr proto_tree *documents_tree; proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + /* This is redundant with the lengths in the documents, we don't use this + * size at all. We could still report an expert info if it's bogus. + */ offset += 4; to_read -= 4; -- GitLab