scsi-osd: fix overflow leading to infinite loop

Thanks to Vlad Tsyrklevich for the report. Bug: 11024 Change-Id: I9defc6fc72339b2f6ba12b46172b776d798647cd Reviewed-on: https://code.wireshark.org/review/7463 Petri-Dish: Evan Huus <eapache@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Evan Huus <eapache@gmail.com>
author: Evan Huus <eapache@gmail.com> 2015-03-01 18:45:24 -0500
committer: Evan Huus <eapache@gmail.com> 2015-03-02 14:11:44 +0000
commit: c35ca6c051adb28c321db54cc138f18637977c9a (patch)
tree: 75436e257cd73929b9c787da85886fbc6c9f0a14 /epan/dissectors/packet-scsi-osd.c
parent: 608cf324b3962877e9699f3e81e8f82ac9f1ea14 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/epan/dissectors/packet-scsi-osd.c b/epan/dissectors/packet-scsi-osd.c
index d9c87d95d6..4091ce72ba 100644
--- a/epan/dissectors/packet-scsi-osd.c
+++ b/epan/dissectors/packet-scsi-osd.c
@@ -1008,7 +1008,10 @@ dissect_osd2_cdb_continuation(packet_info *pinfo, tvbuff_t *tvb, guint32 offset,
             expert_add_info(pinfo, item_length, &ei_osd2_cdb_continuation_descriptor_length_invalid);
             return;
         }
-        offset += length+padlen;
+        /* check for overflow */
+        if (offset + length + padlen > offset) {
+            offset += length+padlen;
+        }
     }
 
 }
author	Evan Huus <eapache@gmail.com>	2015-03-01 18:45:24 -0500
committer	Evan Huus <eapache@gmail.com>	2015-03-02 14:11:44 +0000
commit	c35ca6c051adb28c321db54cc138f18637977c9a (patch)
tree	75436e257cd73929b9c787da85886fbc6c9f0a14 /epan/dissectors/packet-scsi-osd.c
parent	608cf324b3962877e9699f3e81e8f82ac9f1ea14 (diff)