netflow: fix undefined shift

Treat any prefix length larger than 32 as 32 (effectively not masking
anything) and treat a zero-length prefix as the empty mask (matching
anything).

Change-Id: If96b03c2f76ff7624d50fefdf0b025ab373c07dc
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1152
Bug: 13607
Reviewed-on: https://code.wireshark.org/review/21189
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>

1 files changed, 9 insertions, 3 deletions

diff --git a/epan/dissectors/packet-netflow.c b/epan/dissectors/packet-netflow.c
index 797cca7ec7..d5e35cf29f 100644
--- a/epan/dissectors/packet-netflow.c
+++ b/epan/dissectors/packet-netflow.c
@@ -2288,7 +2288,7 @@ static int      dissect_v9_v10_options_template(tvbuff_t *tvb, packet_info *pinf
 static int      dissect_v9_v10_data_template(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pdutree,
                                     int offset, int len, hdrinfo_t *hdrinfo_p, guint16 flowset_id);
 
-static const gchar *getprefix(const guint32 *address, int prefix);
+static const gchar *getprefix(const guint32 *address, unsigned prefix);
 
 static int      flow_process_ints(proto_tree *pdutree, tvbuff_t *tvb,
                                   int offset);
@@ -7709,12 +7709,18 @@ dissect_pdu(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *pdutree, int offs
 }
 
 static const gchar   *
-getprefix(const guint32 *addr, int prefix)
+getprefix(const guint32 *addr, unsigned prefix)
 {
     guint32 gprefix;
     address prefix_addr;
 
-    gprefix = *addr & g_htonl((0xffffffff << (32 - prefix)));
+    if (prefix == 0) {
+        gprefix = 0;
+    } else if (prefix < 32) {
+        gprefix = *addr & g_htonl((0xffffffff << (32 - prefix)));
+    } else {
+        gprefix = *addr;
+    }
 
     set_address(&prefix_addr, AT_IPv4, 4, &gprefix);
     return address_to_str(wmem_packet_scope(), &prefix_addr);