ZigBee TLV: fix infinite loop in deeply nested packets (!15499) · Merge requests · Wireshark Foundation / Wireshark

Martin Nyhus requested to merge zidel_/wireshark:zbee_beacon_loop into master May 01, 2024

When analyzing a packet that hits the recursion limit returning the remaining length of the buffer would allow backtracking, setting up an infinite loop if the packet is constructed correctly and the code would fail by hitting the too many items check.

Since dissect_zbee_tlvs doesn't know the length of the value it is dissecting it can't pretend to have consumed all of it. Most of the callers of this function eventually check for bytes that weren't consumed so returning offset (i.e. no bytes consumed) makes the value get treated as unknown bytes.

Input to fuzzshark_zbee_beacon that triggered this: fb 03 49 ff 49 eb 49 ff 49 ff 49 eb 49 ff

ZigBee TLV: fix infinite loop in deeply nested packets

Merge request reports