Ethereal-dev: [ethereal-dev] Re: [ethereal-users] ethereal hangs (bug #68024 reported to Debia

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Fri, 4 Aug 2000 00:37:10 -0700
On Thu, Aug 03, 2000 at 09:23:26PM -0700, Guy Harris wrote:
> There are some problems in the SRVLOC dissector.  I shall work on a fix
> for them, and send a patch out.

This fixes the hang, and clears up a number of problems with the SRVLOC
dissector; I'll be checking it in.
Index: packet-srvloc.c
===================================================================
RCS file: /usr/local/cvsroot/ethereal/packet-srvloc.c,v
retrieving revision 1.9
diff -c -r1.9 packet-srvloc.c
*** packet-srvloc.c	2000/05/31 05:07:48	1.9
--- packet-srvloc.c	2000/08/04 07:35:48
***************
*** 147,153 ****
      { AUTH_FAILED, "Authentication failed" },
  };
  
! void
  dissect_authblk(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
  {
      struct tm *stamp;
--- 147,153 ----
      { AUTH_FAILED, "Authentication failed" },
  };
  
! static int
  dissect_authblk(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
  {
      struct tm *stamp;
***************
*** 172,177 ****
--- 172,178 ----
      proto_tree_add_text(tree, NullTVB, offset, length, "Authentication block: %s",
  			format_text(&pd[offset], length));
      offset += length;
+     return offset;
  };
  
  /* Packet dissection routine called by tcp & udp when port 427 detected */
***************
*** 182,189 ****
      proto_item *ti, *tf;
      proto_tree *srvloc_tree, *srvloc_flags;
      struct srvloc_hdr srvloc_hdr;
!     int count;
!     int length;
      
      if (check_col(fd, COL_PROTOCOL))
          col_add_str(fd, COL_PROTOCOL, "SRVLOC");
--- 183,190 ----
      proto_item *ti, *tf;
      proto_tree *srvloc_tree, *srvloc_flags;
      struct srvloc_hdr srvloc_hdr;
!     guint32 count;
!     guint32 length;
      
      if (check_col(fd, COL_PROTOCOL))
          col_add_str(fd, COL_PROTOCOL, "SRVLOC");
***************
*** 223,387 ****
              switch (srvloc_hdr.function) {
                  case SRVREQ:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Request");
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Previous Response List Length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Previous Response List: %s", format_text(&pd[offset], length)); 
                      offset += length;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Predicate length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Predicate: %s", format_text(&pd[offset], length));
                      offset += length;
                  break;
              
                  case SRVRPLY:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Reply");
!                     proto_tree_add_uint(srvloc_tree, hf_srvloc_error, NullTVB, offset, 2, pd[offset]);;
!                     offset += 2;
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL Count: %d", pntohs(&pd[offset]));
!                     offset += 2;
!                     for (count = pntohs(&pd[offset]) + 1; count > 0; count--, offset++) {
                          proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL lifetime: %d", pntohs(&pd[offset]));
                          offset += 2;
                          length = pntohs(&pd[offset]);
!                         proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL length: %d", length);
                          offset += 2;
                          proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Service URL: %s", format_text(&pd[offset], length));
                          offset += length;
                          if ( (srvloc_hdr.flags & FLAG_U) == FLAG_U ) 
!                             dissect_authblk(pd, offset, fd, srvloc_tree);
                      };
                  break;
  
                  case SRVREG:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Registration");
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL lifetime: %d", pntohs(&pd[offset]));
                      offset += 2;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Service URL: %s", format_text(&pd[offset], length));
                      offset += length;
                      if ( (srvloc_hdr.flags & FLAG_U) == FLAG_U ) 
!                         dissect_authblk(pd, offset, fd, srvloc_tree);
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Attribute List length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Attribute List: %s", format_text(&pd[offset], length));
                      offset += length;
                      if ( (srvloc_hdr.flags & FLAG_A) == FLAG_A ) 
!                         dissect_authblk(pd, offset, fd, srvloc_tree);
                  break;
  
                  case SRVDEREG:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Deregister");
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Service URL: %s", format_text(&pd[offset], length));
                      offset += length;
                      if ( (srvloc_hdr.flags & FLAG_U) == FLAG_U ) 
!                         dissect_authblk(pd, offset, fd, srvloc_tree);
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Attribute List length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Attribute List: %s", format_text(&pd[offset], length));
                      offset += length;
                      if ( (srvloc_hdr.flags & FLAG_A) == FLAG_A ) 
!                         dissect_authblk(pd, offset, fd, srvloc_tree);
                  break;
              
                  case SRVACK:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Acknowledge");
!                     proto_tree_add_uint(srvloc_tree, hf_srvloc_error, NullTVB, offset, 2, pd[offset]);;
                      offset += 2;
                  break;
  
                  case ATTRRQST:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Attribute Request");
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Previous Response List Length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Previous Response List: %s", format_text(&pd[offset], length)); 
                      offset += length;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Service URL: %s", format_text(&pd[offset], length));
                      offset += length;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Scope List Length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Scope Response List: %s", format_text(&pd[offset], length)); 
                      offset += length;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Attribute List length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Attribute List: %s", format_text(&pd[offset], length));
                      offset += length;
                  break;
              
                  case ATTRRPLY:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Attribute Reply");
!                     proto_tree_add_uint(srvloc_tree, hf_srvloc_error, NullTVB, offset, 2, pd[offset]);;
                      offset += 2;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Attribute List length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Attribute List: %s", format_text(&pd[offset], length));
                      offset += length;
                      if ( (srvloc_hdr.flags & FLAG_A) == FLAG_A ) 
!                         dissect_authblk(pd, offset, fd, srvloc_tree);
                  break;
              
                  case DAADVERT:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "DA Advertisement");
!                     proto_tree_add_uint(srvloc_tree, hf_srvloc_error, NullTVB, offset, 2, pd[offset]);;
                      offset += 2;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Service URL: %s", format_text(&pd[offset], length));
                      offset += length;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Scope List Length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Scope Response List: %s", format_text(&pd[offset], length)); 
                      offset += length;
                  break;
  
                  case SRVTYPERQST:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Type Request");
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Previous Response List Length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Previous Response List: %s", format_text(&pd[offset], length)); 
                      offset += length;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Naming Authority List length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Naming Authority List: %s", format_text(&pd[offset], length)); 
                      offset += length;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Scope List Length: %d", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Scope Response List: %s", format_text(&pd[offset], length)); 
                      offset += length;
                  break;
  
                  case SRVTYPERPLY:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Type Reply");
!                     proto_tree_add_uint(srvloc_tree, hf_srvloc_error, NullTVB, offset, 2, pd[offset]);;
!                     offset += 2;
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Service Type Count: %d", pntohs(&pd[offset]));
!                     offset += 2;
!                     for (count = pntohs(&pd[offset]) + 1; count > 0; count--, offset++) {
                          length = pntohs(&pd[offset]);
!                         proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Service Type List length: %d", length);
                          offset += 2;
                          proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Service Type List: %s", format_text(&pd[offset], length));
                          offset += length;
                      };
                  break;
  
--- 224,482 ----
              switch (srvloc_hdr.function) {
                  case SRVREQ:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Request");
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Previous Response List Length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Previous Response List: %s", format_text(&pd[offset], length)); 
                      offset += length;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Predicate length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Predicate: %s", format_text(&pd[offset], length));
                      offset += length;
                  break;
              
                  case SRVRPLY:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Reply");
! 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
! 			break;
!                     proto_tree_add_uint(srvloc_tree, hf_srvloc_error, NullTVB, offset, 2, pd[offset]);
!                     offset += 2;
! 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
! 			break;
! 		    count = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL Count: %u", count);
!                     offset += 2;
!                     while (count > 0) {
! 			if (!BYTES_ARE_IN_FRAME(offset, 2))
! 			    break;
                          proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL lifetime: %d", pntohs(&pd[offset]));
                          offset += 2;
+ 			if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			    break;
                          length = pntohs(&pd[offset]);
!                         proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL length: %u", length);
                          offset += 2;
+ 			if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			    break;
                          proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Service URL: %s", format_text(&pd[offset], length));
                          offset += length;
                          if ( (srvloc_hdr.flags & FLAG_U) == FLAG_U ) 
!                             offset = dissect_authblk(pd, offset, fd, srvloc_tree);
! 			count--;
                      };
                  break;
  
                  case SRVREG:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Registration");
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL lifetime: %d", pntohs(&pd[offset]));
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Service URL: %s", format_text(&pd[offset], length));
                      offset += length;
                      if ( (srvloc_hdr.flags & FLAG_U) == FLAG_U ) 
!                         offset = dissect_authblk(pd, offset, fd, srvloc_tree);
! 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
! 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Attribute List length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Attribute List: %s", format_text(&pd[offset], length));
                      offset += length;
                      if ( (srvloc_hdr.flags & FLAG_A) == FLAG_A ) 
!                         offset = dissect_authblk(pd, offset, fd, srvloc_tree);
                  break;
  
                  case SRVDEREG:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Deregister");
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL length: %u", length);
                      offset += 2;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Service URL: %s", format_text(&pd[offset], length));
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      offset += length;
                      if ( (srvloc_hdr.flags & FLAG_U) == FLAG_U ) 
!                         offset = dissect_authblk(pd, offset, fd, srvloc_tree);
! 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
! 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Attribute List length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Attribute List: %s", format_text(&pd[offset], length));
                      offset += length;
                      if ( (srvloc_hdr.flags & FLAG_A) == FLAG_A ) 
!                         offset = dissect_authblk(pd, offset, fd, srvloc_tree);
                  break;
              
                  case SRVACK:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Acknowledge");
! 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
! 			break;
!                     proto_tree_add_uint(srvloc_tree, hf_srvloc_error, NullTVB, offset, 2, pd[offset]);
                      offset += 2;
                  break;
  
                  case ATTRRQST:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Attribute Request");
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Previous Response List Length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Previous Response List: %s", format_text(&pd[offset], length)); 
                      offset += length;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Service URL: %s", format_text(&pd[offset], length));
                      offset += length;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Scope List Length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Scope Response List: %s", format_text(&pd[offset], length)); 
                      offset += length;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Attribute List length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Attribute List: %s", format_text(&pd[offset], length));
                      offset += length;
                  break;
              
                  case ATTRRPLY:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Attribute Reply");
! 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
! 			break;
!                     proto_tree_add_uint(srvloc_tree, hf_srvloc_error, NullTVB, offset, 2, pd[offset]);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Attribute List length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Attribute List: %s", format_text(&pd[offset], length));
                      offset += length;
                      if ( (srvloc_hdr.flags & FLAG_A) == FLAG_A ) 
!                         offset = dissect_authblk(pd, offset, fd, srvloc_tree);
                  break;
              
                  case DAADVERT:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "DA Advertisement");
! 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
! 			break;
!                     proto_tree_add_uint(srvloc_tree, hf_srvloc_error, NullTVB, offset, 2, pd[offset]);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "URL length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Service URL: %s", format_text(&pd[offset], length));
                      offset += length;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Scope List Length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Scope Response List: %s", format_text(&pd[offset], length)); 
                      offset += length;
                  break;
  
                  case SRVTYPERQST:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Type Request");
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Previous Response List Length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Previous Response List: %s", format_text(&pd[offset], length)); 
                      offset += length;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Naming Authority List length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Naming Authority List: %s", format_text(&pd[offset], length)); 
                      offset += length;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
+ 			break;
                      length = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Scope List Length: %u", length);
                      offset += 2;
+ 		    if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			break;
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Scope Response List: %s", format_text(&pd[offset], length)); 
                      offset += length;
                  break;
  
                  case SRVTYPERPLY:
                      proto_tree_add_text(srvloc_tree, NullTVB, offset, 0, "Service Type Reply");
! 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
! 			break;
!                     proto_tree_add_uint(srvloc_tree, hf_srvloc_error, NullTVB, offset, 2, pd[offset]);
!                     offset += 2;
! 		    if (!BYTES_ARE_IN_FRAME(offset, 2))
! 			break;
! 		    count = pntohs(&pd[offset]);
!                     proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Service Type Count: %u", count);
!                     offset += 2;
!                     while (count > 0) {
! 			if (!BYTES_ARE_IN_FRAME(offset, 2))
! 			    break;
                          length = pntohs(&pd[offset]);
!                         proto_tree_add_text(srvloc_tree, NullTVB, offset, 2, "Service Type List length: %u", length);
                          offset += 2;
+ 			if (!BYTES_ARE_IN_FRAME(offset, length))
+ 			    break;
                          proto_tree_add_text(srvloc_tree, NullTVB, offset, length, "Service Type List: %s", format_text(&pd[offset], length));
                          offset += length;
+                         count--;
                      };
                  break;