TDS: Sanity check number of columns to prevent crash.

Bug: 11846 Change-Id: I6eac46dc397263fe005e803730c5d3084bfb7f74 Reviewed-on: https://code.wireshark.org/review/12391 Reviewed-by: Michael Mann <mmann78@netscape.net> Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
author: Michael Mann <mmann78@netscape.net> 2015-12-02 19:33:40 -0500
committer: Anders Broman <a.broman58@gmail.com> 2015-12-03 05:14:14 +0000
commit: e78093f69f1e95df919bbe644baa06c7e4e720c0 (patch)
tree: 29d72bd5738cfa3bad8d722dc4d08cce1ac1c4b0
parent: 0102033ca3dfdcef37cee5760fb6d4dc71418cab (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/epan/dissectors/packet-tds.c b/epan/dissectors/packet-tds.c
index 4872bbce96..3c25cc9eb2 100644
--- a/epan/dissectors/packet-tds.c
+++ b/epan/dissectors/packet-tds.c
@@ -2922,6 +2922,10 @@ dissect_tds7_colmetadata_token(tvbuff_t *tvb, struct _netlib_data *nl_data, guin
     num_columns = tvb_get_letohs(tvb, cur);
     nl_data->num_cols = num_columns;
     proto_tree_add_item(tree, hf_tds_colmetadata_columns, tvb, cur, 2, ENC_LITTLE_ENDIAN);
+    if (nl_data->num_cols > TDS_MAX_COLUMNS) {
+        nl_data->num_cols = 0;
+        return 0;
+    }
     cur +=2;
 
     for(i=0; i != num_columns; i++) {
author	Michael Mann <mmann78@netscape.net>	2015-12-02 19:33:40 -0500
committer	Anders Broman <a.broman58@gmail.com>	2015-12-03 05:14:14 +0000
commit	e78093f69f1e95df919bbe644baa06c7e4e720c0 (patch)
tree	29d72bd5738cfa3bad8d722dc4d08cce1ac1c4b0
parent	0102033ca3dfdcef37cee5760fb6d4dc71418cab (diff)