On Mon, Mar 06, 2017 at 06:30:33PM +0100, [email protected] wrote: > > > + /* Next three bytes are the length of the message. The total length > > > + * must be this decoded length + 4. If the length given as argument > > > + * is not the same, we abort the protocol dissector. > > > + */ > > > + rec_len = (msg[1] << 3) + (msg[2] << 2) + msg[3]; > > > > Here. The correct statement is : > > > > rec_len = msg[1] * 65536 + msg[2] * 256 + msg[3]; > > > > (or << 16, << 8)
But Thierry, are you doing it on purpose to annoy me ? It's the third time you get it wrong after I propose the correct version, as you can see with your version below it's still wrong and differs from the two proposed versions above : > + rec_len = (msg[1] << 24) + (msg[2] << 16) + msg[3]; And below : > + if (len < rec_len + 4) > + return; > + msg += 4; > + end = msg + rec_len; > + if (end <= msg) > + return; This one was still not fixed :-( > + > + /* Expect 2 bytes for protocol version (1 byte for major and 1 byte > + * for minor, the random, composed by 4 bytes for the unix time and > + * 28 bytes for unix payload, and them 1 byte for the session id. So > + * we jump 1 + 1 + 4 + 28 + 1 bytes. > + */ > + msg += 1 + 1 + 4 + 28 + 1; > + if (msg >= end) > + return; This one neither :-( > + > + /* Next two bytes are the ciphersuite length. */ > + if (msg + 2 > end) > + return; > + rec_len = (msg[0] << 16) + msg[1]; This one is still wrong as well :-( Please double-check next time, it's time consuming to re-read the same bugs between two versions, each time I have to reread the whole patch. Willy
