diff options
author | Michael Mann <mmann78@netscape.net> | 2017-04-27 09:15:01 -0400 |
---|---|---|
committer | Michael Mann <mmann78@netscape.net> | 2017-04-27 14:29:59 +0000 |
commit | f6431695049116176361ce4691dfd3c77ab19858 (patch) | |
tree | f962ad608ebc99851ae6827e7cc152825109cf8f /epan/dissectors/packet-opensafety.c | |
parent | a1152a2a1f486e07e861afcc56ab0f16bb9c7a83 (diff) |
[OpenSafety] Bugfix invalid length calculation.
Length calculation leads to -1, which will result in a large malloc
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1212
Bug: 13649
Change-Id: Iccb78b8c8ec9ca8e8f97bc12d0d8f41526d1f791
Reviewed-on: https://code.wireshark.org/review/21367
Reviewed-by: Roland Knall <rknall@gmail.com>
Petri-Dish: Roland Knall <rknall@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/dissectors/packet-opensafety.c')
-rw-r--r-- | epan/dissectors/packet-opensafety.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/epan/dissectors/packet-opensafety.c b/epan/dissectors/packet-opensafety.c index 21d43d7eea..0fb098da71 100644 --- a/epan/dissectors/packet-opensafety.c +++ b/epan/dissectors/packet-opensafety.c @@ -1286,6 +1286,13 @@ dissect_opensafety_ssdo_message(tvbuff_t *message_tvb, packet_info *pinfo, proto else { payloadSize = dataLength - (payloadOffset - db0Offset); + if ((gint)dataLength < (payloadOffset - db0Offset)) + { + if ( global_opensafety_debug_verbose ) + expert_add_info_format(pinfo, opensafety_item, &ei_payload_length_not_positive, + "Calculation for payload length yielded non-positive result [%d]", (gint)payloadSize ); + return; + } if ( fragmentId != 0 && packet->payload.ssdo->sacmd.segmented ) { |