dissect_sap() did not create a new tvbuff before calling the SDP
dissector. Also, the test for the MIME content specifier was
inversed.
The broken SAP dissector also broke the SDP dissector which ended
up looping forever. The little fix for packet-sdp.c makes sure that
the offset is advanced and thus the loop terminates eventually.
A single packet demonstrating the looping is available at
http://www.cs.tut.fi/~hessu/sdp-loop.cap
Index: packet-sdp.c
===================================================================
RCS file: /cvsroot/ethereal/packet-sdp.c,v
retrieving revision 1.16
diff -u -r1.16 packet-sdp.c
--- packet-sdp.c 2000/11/15 07:07:44 1.16
+++ packet-sdp.c 2000/11/19 20:17:57
@@ -118,6 +118,7 @@
next_offset - offset,
"Invalid line: %s",
tvb_format_text(tvb, offset, next_offset - offset));
+ offset++;
continue;
}
value = line + 2;
Index: packet-sap.c
===================================================================
RCS file: /cvsroot/ethereal/packet-sap.c,v
retrieving revision 1.15
diff -u -r1.15 packet-sap.c
--- packet-sap.c 2000/11/19 08:54:05 1.15
+++ packet-sap.c 2000/11/19 20:17:35
@@ -137,6 +137,7 @@
guint16 tmp1;
guint8 *addr;
guint8 auth_flags;
+ tvbuff_t *next_tvb;
proto_item *si, *sif;
proto_tree *sap_tree, *sap_flags_tree;
@@ -239,7 +240,7 @@
}
/* Do we have the optional payload type aka. MIME content specifier */
- if (!tvb_strneql(tvb, offset, "v=", strlen("v="))) {
+ if (tvb_strneql(tvb, offset, "v=", strlen("v="))) {
gint remaining_len;
guint32 pt_len;
int pt_string_len;
@@ -276,10 +277,11 @@
tvb_get_ptr(tvb, offset, pt_string_len));
offset += pt_len;
}
-
- /* Done with SAP */
- call_dissector(sdp_handle, tvb, pinfo, tree);
}
+
+ /* Done with SAP */
+ next_tvb = tvb_new_subset(tvb, offset, -1, -1);
+ call_dissector(sdp_handle, next_tvb, pinfo, tree);
return;
}
