Wireshark-bugs: [Wireshark-bugs] [Bug 7666] Endless loop in dissect_drda()
Date: Mon, 27 Aug 2012 09:37:03 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7666

Pascal Quantin <pascal.quantin@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pascal.quantin@xxxxxxxxx

--- Comment #1 from Pascal Quantin <pascal.quantin@xxxxxxxxx> 2012-08-27 09:37:02 PDT ---
Infinite loop occurs because of the iLength read at line 698:

    while ((guint) (offset + 10) <= tvb_length(tvb))
    {
[...]
        iLength = tvb_get_ntohs(tvb, offset + 0);
[...]
        if (tree)
        {
[...]
        else
        {
            /* No tree, advance directly to next command */
            offset += iLength;
        }
    }

When iLength is equal to 0 (what happens with packet 28881), the loop above
runs forever.
As it looks like the minimum size for iLength should be 10 bytes, putting an
expert info when iLength < 10 and either aborting dissection of the packet or
forcing iLength to 10 should avoid the loop. I believe that the expert info +
stopping dissection of the current packet with a malformed packet error is
probably the best choice.
Can anyone knowing this protocol confirm this is the best thing to do? Any
suggestion is welcome.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.