diff options
author | Evan Huus <eapache@gmail.com> | 2015-08-11 18:35:45 -0400 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2015-08-15 06:52:38 +0000 |
commit | 85d2eef6193e7516b25a1fa05e4e000774846455 (patch) | |
tree | 00fb8d34c77965f6ef7ed3b76ce6aa1437ced2f3 | |
parent | 677d4d6be28aa45c08db93b9ad087e294431804c (diff) |
btatt: guard against incomplete reassembly
If we try and reassemble a fragment whose end does not line up exactly with the
start of the following fragment, abort or else we will leave uninitialized gaps
in the resulting buffer.
Bug: 11436
Change-Id: I4cd05c1a9ac4404bf70a3945f80b12f7bf5f74ee
Reviewed-on: https://code.wireshark.org/review/9983
Reviewed-by: Evan Huus <eapache@gmail.com>
Petri-Dish: Evan Huus <eapache@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
-rw-r--r-- | epan/dissectors/packet-btatt.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/epan/dissectors/packet-btatt.c b/epan/dissectors/packet-btatt.c index 34f0176868..b6da0d2a47 100644 --- a/epan/dissectors/packet-btatt.c +++ b/epan/dissectors/packet-btatt.c @@ -2886,7 +2886,6 @@ get_value(packet_info *pinfo, guint32 handle, bluetooth_data_t *bluetooth_data, return NULL; } - last_offset = fragment_data->offset; if (first) { size = fragment_data->offset + fragment_data->length; data = (guint8 *) wmem_alloc(pinfo->pool, size); @@ -2896,12 +2895,18 @@ get_value(packet_info *pinfo, guint32 handle, bluetooth_data_t *bluetooth_data, first = FALSE; } + else if (fragment_data->offset + fragment_data->length != last_offset) { + if (length) + *length = 0; + return NULL; + } memcpy(data + fragment_data->offset, fragment_data->data, fragment_data->length); if (fragment_data->offset == 0) return data; frame_number = fragment_data->data_in_frame - 1; + last_offset = fragment_data->offset; } if (length) |