Make column size sanity check more sensible.

The existing sanity check on column_size makes incorrect assumptions
about the size of the CTableColumn structure (which is an internal
dissector structure that contains optional data). The sanity check
test *always* fails. This change uses the minimum size of CTableColumn
structure instead which should prevent excessive allocation during fuzz
testing.

Bug: 13299
Change-Id: Id9fcbc15a4df4c74bb7576c6fdca1000890947fd
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-on: https://code.wireshark.org/review/19566
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/epan/dissectors/packet-mswsp.c b/epan/dissectors/packet-mswsp.c
index c025d428b9..fd0fb5df91 100644
--- a/epan/dissectors/packet-mswsp.c
+++ b/epan/dissectors/packet-mswsp.c
@@ -294,6 +294,8 @@ struct CTableColumn {
 	guint16 lengthoffset;
 	char name[PROP_LENGTH];
 };
+/* minimum size in bytes on the wire CTableColumn can be */
+#define MIN_CTABLECOL_SIZE 8
 
 /* 2.2.3.10 */
 
@@ -5922,7 +5924,7 @@ static int dissect_CPMSetBindings(tvbuff_t *tvb, packet_info *pinfo, proto_tree
 		proto_tree_add_item(tree, hf_mswsp_msg_cpmsetbinding_acolumns, tvb, offset, size-4, ENC_NA);
 
 		/* Sanity check size value */
-		column_size = num*sizeof(struct CTableColumn);
+		column_size = num*MIN_CTABLECOL_SIZE;
 		if (column_size > tvb_reported_length_remaining(tvb, offset))
 		{
 			expert_add_info(pinfo, ti, &ei_mswsp_msg_cpmsetbinding_ccolumns);