From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001 From: Gerald Combs Date: Tue, 23 May 2023 13:52:03 -0700 Subject: [PATCH] XRA: Fix an infinite loop C compilers don't care what size a value was on the wire. Use naturally-sized ints, including in dissect_message_channel_mb where we would otherwise overflow and loop infinitely. Fixes #19100 Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5] CVE: CVE-2023-2952 Signed-off-by: Hitendra Prajapati --- epan/dissectors/packet-xra.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c index 68a8e72..6c7ab74 100644 --- a/epan/dissectors/packet-xra.c +++ b/epan/dissectors/packet-xra.c @@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA); xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info); - guint32 tlv_index =0; + unsigned tlv_index = 0; while (tlv_index < tlv_length) { guint8 type = tvb_get_guint8 (tvb, tlv_index); ++tlv_index; @@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA); xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info); - guint32 tlv_index =0; + unsigned tlv_index = 0; while (tlv_index < tlv_length) { guint8 type = tvb_get_guint8 (tvb, tlv_index); ++tlv_index; @@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA); xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info); - guint32 tlv_index =0; + unsigned tlv_index = 0; while (tlv_index < tlv_length) { guint8 type = tvb_get_guint8 (tvb, tlv_index); ++tlv_index; @@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA); xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv); - guint32 tlv_index =0; + unsigned tlv_index = 0; tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb; while (tlv_index < tlv_length) { @@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree if(packet_start_pointer_field_present) { proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer); - guint16 docsis_start = 3 + packet_start_pointer; + unsigned docsis_start = 3 + packet_start_pointer; while (docsis_start + 6 < remaining_length) { /*DOCSIS header in packet*/ guint8 fc = tvb_get_guint8(tvb,docsis_start + 0); @@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree docsis_start += 1; continue; } - guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); + unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); if (docsis_start + 6 + docsis_length <= remaining_length) { /*DOCSIS packet included in packet*/ tvbuff_t *docsis_tvb; @@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) { static int dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) { - guint16 offset = 0; + int offset = 0; proto_tree *plc_tree; proto_item *plc_item; tvbuff_t *mb_tvb; @@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _ static int dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) { - guint16 offset = 0; + int offset = 0; proto_tree *ncp_tree; proto_item *ncp_item; tvbuff_t *ncp_mb_tvb; -- 2.25.1