Make the MCC length check a little more picky.

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@30937 f5534014-38df-0310-8fa8-9805f1628bb7
author: gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> 2009-11-12 02:03:10 +0000
committer: gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> 2009-11-12 02:03:10 +0000
commit: 0975dce066f966d0a283f278c5fb2aaa75ebce3c (patch)
tree: b79f8cd457dc38468edeb9cd2569e6d855b43126 /epan/dissectors/packet-btrfcomm.c
parent: 1f599213f29c22b1d375ac062bf656b279e60df8 (diff)
1 files changed, 6 insertions, 5 deletions
diff --git a/epan/dissectors/packet-btrfcomm.c b/epan/dissectors/packet-btrfcomm.c
index a9782e8e65..07ccea0ad7 100644
--- a/epan/dissectors/packet-btrfcomm.c
+++ b/epan/dissectors/packet-btrfcomm.c
@@ -692,6 +692,12 @@ dissect_btrfcomm(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 		/* len */
 		offset = get_le_multi_byte_value(tvb, offset, ctrl_tree, &length, hf_mcc_len);
 
+
+		if (length > (guint32) tvb_length_remaining(tvb, offset)) {
+			expert_add_info_format(pinfo, ctrl_tree, PI_MALFORMED, PI_ERROR, "Huge MCC length: %u", length);
+			return;
+		}
+
 		switch(mcc_type) {
 		case 0x20: /* Parameter Negotiation */
 			col_append_str(pinfo->cinfo, COL_INFO, "Parameter Negotiation ");
@@ -704,11 +710,6 @@ dissect_btrfcomm(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 		}
 		offset += length;
 
-		if (offset < start_offset) {
-			expert_add_info_format(pinfo, ctrl_tree, PI_MALFORMED, PI_ERROR, "Huge MCC length: %u", length);
-			return;
-		}
-
 		proto_item_set_len(mcc_ti, offset-start_offset);
 	}
author	gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7>	2009-11-12 02:03:10 +0000
committer	gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7>	2009-11-12 02:03:10 +0000
commit	0975dce066f966d0a283f278c5fb2aaa75ebce3c (patch)
tree	b79f8cd457dc38468edeb9cd2569e6d855b43126 /epan/dissectors/packet-btrfcomm.c
parent	1f599213f29c22b1d375ac062bf656b279e60df8 (diff)