1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From 44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d Mon Sep 17 00:00:00 2001
From: Jaap Keuter <jaap.keuter@xs4all.nl>
Date: Thu, 27 Jul 2023 20:21:19 +0200
Subject: [PATCH] CP2179: Handle timetag info response without records
Fixes #19229
Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d]
CVE: CVE-2023-2906
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
epan/dissectors/packet-cp2179.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/epan/dissectors/packet-cp2179.c b/epan/dissectors/packet-cp2179.c
index 30f53f8..70fe033 100644
--- a/epan/dissectors/packet-cp2179.c
+++ b/epan/dissectors/packet-cp2179.c
@@ -721,11 +721,14 @@ dissect_response_frame(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, int
proto_tree_add_item(cp2179_proto_tree, hf_cp2179_timetag_numsets, tvb, offset, 1, ENC_LITTLE_ENDIAN);
num_records = tvb_get_guint8(tvb, offset) & 0x7F;
+ offset += 1;
+
+ if (num_records == 0 || numberofcharacters <= 1)
+ break;
+
recordsize = (numberofcharacters-1) / num_records;
num_values = (recordsize-6) / 2; /* Determine how many 16-bit analog values are present in each event record */
- offset += 1;
-
for (x = 0; x < num_records; x++)
{
cp2179_event_tree = proto_tree_add_subtree_format(cp2179_proto_tree, tvb, offset, recordsize, ett_cp2179_event, NULL, "Event Record # %d", x+1);
--
2.25.1
|
