Ethereal-dev: [Ethereal-dev] 0.8.12: infinite loop with invalid icmp6 option values
The packet-icmp6.c dissector can get into an infinite loop if a packet it
receives has ICMPv6 options with length field of zero (0).
This patch fixes the problem.
--
santtu@xxxxxx I have become death, destroyer of the worlds.
*** ethereal-0.8.12-orig/packet-icmpv6.c Tue Sep 12 23:25:18 2000
--- ethereal-0.8.12/packet-icmpv6.c Thu Oct 12 12:59:53 2000
***************
*** 1,5 ****
/* packet-icmpv6.c
! * Routines for ICMPv6 packet disassembly
*
* $Id: packet-icmpv6.c,v 1.25 2000/08/29 14:17:12 itojun Exp $
*
--- 1,5 ----
/* packet-icmpv6.c
! * Routines for ICMPv6 packet disassembly
*
* $Id: packet-icmpv6.c,v 1.25 2000/08/29 14:17:12 itojun Exp $
*
***************
*** 7,23 ****
* By Gerald Combs <gerald@xxxxxxxx>
* Copyright 1998 Gerald Combs
*
! *
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
! *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
! *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
--- 7,23 ----
* By Gerald Combs <gerald@xxxxxxxx>
* Copyright 1998 Gerald Combs
*
! *
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
! *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
! *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
***************
*** 208,213 ****
--- 208,221 ----
}
}
+ if (opt->nd_opt_len == 0) {
+ proto_tree_add_text(icmp6opt_tree, NullTVB,
+ offset + offsetof(struct nd_opt_hdr, nd_opt_len), 1,
+ "Invalid option length: %d",
+ opt->nd_opt_len);
+ return;
+ }
+
offset += (opt->nd_opt_len << 3);
goto again;
}
***************
*** 1019,1022 ****
{
old_dissector_add("ip.proto", IP_PROTO_ICMPV6, dissect_icmpv6);
}
-
--- 1027,1029 ----