Check for an invalid MCC length. Fixes bug 4212.

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@30936 f5534014-38df-0310-8fa8-9805f1628bb7

1 files changed, 8 insertions, 6 deletions

diff --git a/epan/dissectors/packet-btrfcomm.c b/epan/dissectors/packet-btrfcomm.c
index fe8fdc5c90..a9782e8e65 100644
--- a/epan/dissectors/packet-btrfcomm.c
+++ b/epan/dissectors/packet-btrfcomm.c
@@ -51,6 +51,7 @@
 #include <epan/value_string.h>
 #include <etypes.h>
 #include <epan/emem.h>
+#include <epan/expert.h>
 #include "packet-btl2cap.h"
 
 static int hf_pf = -1;
@@ -693,20 +694,21 @@ dissect_btrfcomm(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 
 		switch(mcc_type) {
 		case 0x20: /* Parameter Negotiation */
-			if ((check_col(pinfo->cinfo, COL_INFO))){
-				col_append_str(pinfo->cinfo, COL_INFO, "Parameter Negotiation ");
-			}
+			col_append_str(pinfo->cinfo, COL_INFO, "Parameter Negotiation ");
 			dissect_ctrl_pn(pinfo, ctrl_tree, tvb, offset, mcc_cr_flag);
 			break;
 		case 0x38: /* Model Status Command */
-			if ((check_col(pinfo->cinfo, COL_INFO))){
-				col_append_str(pinfo->cinfo, COL_INFO, "Model Status Command ");
-			}
+			col_append_str(pinfo->cinfo, COL_INFO, "Model Status Command ");
 			dissect_ctrl_msc(ctrl_tree, tvb, offset, length);
 			break;
 		}
 		offset += length;
 
+		if (offset < start_offset) {
+			expert_add_info_format(pinfo, ctrl_tree, PI_MALFORMED, PI_ERROR, "Huge MCC length: %u", length);
+			return;
+		}
+
 		proto_item_set_len(mcc_ti, offset-start_offset);
 	}