diff options
author | gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> | 2011-04-30 17:43:05 +0000 |
---|---|---|
committer | gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> | 2011-04-30 17:43:05 +0000 |
commit | 3a0b6fcc1ca28d902bc49747842f499bb5936a99 (patch) | |
tree | 29d895199657cf78eb4f4c2764c15d5f6d49194a /epan/dissectors/packet-dcm.c | |
parent | 805c21bae81e274833ac1eb5bc152e2d7cac617e (diff) |
Check our PDU length. Fixes the infinite loop found in bug 5876.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@36958 f5534014-38df-0310-8fa8-9805f1628bb7
Diffstat (limited to 'epan/dissectors/packet-dcm.c')
-rw-r--r-- | epan/dissectors/packet-dcm.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/epan/dissectors/packet-dcm.c b/epan/dissectors/packet-dcm.c index 1ea7ed100f..2daf94777a 100644 --- a/epan/dissectors/packet-dcm.c +++ b/epan/dissectors/packet-dcm.c @@ -6519,6 +6519,7 @@ dissect_dcm_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i /* Process all PDUs in the buffer */ while (pdu_start < tlen) { + guint32 old_pdu_start; if ((pdu_len+6) > (tlen-offset)) { @@ -6539,7 +6540,13 @@ dissect_dcm_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i offset=dissect_dcm_pdu(tvb, pinfo, tree, pdu_start); /* Next PDU */ + old_pdu_start = pdu_start; pdu_start = pdu_start + pdu_len + 6; + if (pdu_start <= old_pdu_start) { + expert_add_info_format(pinfo, NULL, PI_MALFORMED, PI_ERROR, + "Invalid PDU length (%u)", pdu_len); + THROW(ReportedBoundsError); + } if (pdu_start < tlen - 6) { /* we got at least 6 bytes of the next PDU still in the buffer */ |