Check our PDU length. Fixes the infinite loop found in bug 5876.

svn path=/trunk/; revision=36958
author: Gerald Combs <gerald@wireshark.org> 2011-04-30 17:43:05 +0000
committer: Gerald Combs <gerald@wireshark.org> 2011-04-30 17:43:05 +0000
commit: b97275395f2b00ec5b60e0af01b504c12746ce44 (patch)
tree: 29d895199657cf78eb4f4c2764c15d5f6d49194a /epan/dissectors/packet-dcm.c
parent: 48abbd7f6c1a26e19016dc6146f92002d0eafca9 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/epan/dissectors/packet-dcm.c b/epan/dissectors/packet-dcm.c
index 1ea7ed100f..2daf94777a 100644
--- a/epan/dissectors/packet-dcm.c
+++ b/epan/dissectors/packet-dcm.c
@@ -6519,6 +6519,7 @@ dissect_dcm_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i
 
      /* Process all PDUs in the buffer */
     while (pdu_start < tlen) {
+	guint32 old_pdu_start;
 
 	if ((pdu_len+6) > (tlen-offset)) {
 
@@ -6539,7 +6540,13 @@ dissect_dcm_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean i
 	offset=dissect_dcm_pdu(tvb, pinfo, tree, pdu_start);
 
 	/* Next PDU */
+	old_pdu_start = pdu_start;
 	pdu_start =  pdu_start + pdu_len + 6;
+	if (pdu_start <= old_pdu_start) {
+	    expert_add_info_format(pinfo, NULL, PI_MALFORMED, PI_ERROR,
+		"Invalid PDU length (%u)", pdu_len);
+	    THROW(ReportedBoundsError);
+	}
 
 	if (pdu_start < tlen - 6) {
 	    /* we got at least 6 bytes of the next PDU still in the buffer */
author	Gerald Combs <gerald@wireshark.org>	2011-04-30 17:43:05 +0000
committer	Gerald Combs <gerald@wireshark.org>	2011-04-30 17:43:05 +0000
commit	b97275395f2b00ec5b60e0af01b504c12746ce44 (patch)
tree	29d895199657cf78eb4f4c2764c15d5f6d49194a /epan/dissectors/packet-dcm.c
parent	48abbd7f6c1a26e19016dc6146f92002d0eafca9 (diff)