From f998e785d5ead49c57ef282765519d4ae75e056e Mon Sep 17 00:00:00 2001
From: Jaap Keuter <jaap.keuter@xs4all.nl>
Date: Sun, 22 Mar 2020 14:10:27 +0100
Subject: RTCP: contain BYE packet dissection to its stated length

The Goodbye RTCP packet dissection has to derive whether the optional
"Reason for leaving" string is present or not. This has to be derived
from the length. When put into a compound RTCP packet, the length
derivation from the TVB length does not work, because another RTCP
packet may follow in this compound RTCP packet.

With this change the stated length of this RTCP packet is passed to
the RTCP BYE packet dissection function in order to make a proper
length determination and not overrun into the next RTCP packet in the
compound RTCP packet.

Bug: 16434
Change-Id: Iab0fdd52c745028a9928bbef6c731ff649213277
Reviewed-on: https://code.wireshark.org/review/36532
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 epan/dissectors/packet-rtcp.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/epan/dissectors/packet-rtcp.c b/epan/dissectors/packet-rtcp.c
index 6d07153f1e..b059fbaf2a 100644
--- a/epan/dissectors/packet-rtcp.c
+++ b/epan/dissectors/packet-rtcp.c
@@ -2825,7 +2825,7 @@ dissect_rtcp_app( tvbuff_t *tvb,packet_info *pinfo, int offset, proto_tree *tree
 
 static int
 dissect_rtcp_bye( tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *tree,
-    unsigned int count )
+    unsigned int count, unsigned int packet_length )
 {
     unsigned int chunk;
     unsigned int reason_length = 0;
@@ -2839,7 +2839,7 @@ dissect_rtcp_bye( tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *tre
         chunk++;
     }
 
-    if ( tvb_reported_length_remaining( tvb, offset ) > 0 ) {
+    if (count * 4 < packet_length) {
         /* Bye reason consists of an 8 bit length l and a string with length l */
         reason_length = tvb_get_guint8( tvb, offset );
         proto_tree_add_item( tree, hf_rtcp_sdes_length, tvb, offset, 1, ENC_BIG_ENDIAN );
@@ -4279,7 +4279,7 @@ dissect_rtcp( tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U
                 offset++;
                 /* Packet length in 32 bit words MINUS one, 16 bits */
                 offset = dissect_rtcp_length_field(rtcp_tree, tvb, offset);
-                offset = dissect_rtcp_bye( tvb, pinfo, offset, rtcp_tree, elem_count );
+                offset = dissect_rtcp_bye( tvb, pinfo, offset, rtcp_tree, elem_count, packet_length-4 );
                 break;
             case RTCP_APP: {
                 /* Subtype, 5 bits */
-- 
cgit v1.2.3