From ec5adb0ce98c37c8119feb972a5207e0e1721d9b Mon Sep 17 00:00:00 2001
From: Peter Wu <[email protected]>
Date: Thu, 11 Oct 2018 00:02:26 +0200
Subject: [PATCH] tvbuff_composite: fix buffer overflow due to wrong offset
 adjustment

The tvb_offset method should return the offset of the buffer within the
backing tvb (ds_tvb). The currently returned non-zero offset is valid
for tvbuff_subset.c, but not for the composite TVB. The backing tvb is
the tvb itself, so the offset should be zero (or "counter" for
consistency with tvbuff_real.c and others).

This bug is observable with the capture from the bug. In tshark, the
data field in the PDML output has value "field length invalid!" and the
position attribute ("pos") is too large. With the -V option it even
crashes with a buffer overflow (read). In the GUI, the bytes tab shows
range 3199-19642 even if the data source is only 16444 bytes while the
selection should have been 0-16443.

Bug: 14466
Change-Id: I01399ff500321dba262eb60b67c4cddb173b4679
Reviewed-on: https://code.wireshark.org/review/30124
Petri-Dish: Peter Wu <[email protected]>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <[email protected]>
---
 epan/tvbuff_composite.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/epan/tvbuff_composite.c b/epan/tvbuff_composite.c
index f77aace..53cdbca 100644
--- a/epan/tvbuff_composite.c
+++ b/epan/tvbuff_composite.c
@@ -51,12 +51,9 @@ composite_free(tvbuff_t *tvb)
 }
 
 static guint
-composite_offset(const tvbuff_t *tvb, const guint counter)
+composite_offset(const tvbuff_t *tvb _U_, const guint counter)
 {
-	const struct tvb_composite *composite_tvb = (const struct tvb_composite *) tvb;
-	const tvbuff_t *member = (const tvbuff_t *)composite_tvb->composite.tvbs->data;
-
-	return tvb_offset_from_real_beginning_counter(member, counter);
+	return counter;
 }
 
 static const guint8*
-- 
1.7.12.4