Catch TLVs with bogus lengths (i.e., less than the fixed-length header

size); otherwise, we run the risk of looping forever. svn path=/trunk/; revision=3581
author: Guy Harris <guy@alum.mit.edu> 2001-06-20 05:18:36 +0000
committer: Guy Harris <guy@alum.mit.edu> 2001-06-20 05:18:36 +0000
commit: 5d8b3d565986cd3925e615b5c09bfbd7b9f9fe61 (patch)
tree: b2d5635314dd619fd1317e403c1c2d689ffce963 /packet-cdp.c
parent: 8073087bdfcbade2ddec1bddec3e11fa22968b07 (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/packet-cdp.c b/packet-cdp.c
index cb96c4e75b..1ea1862c57 100644
--- a/packet-cdp.c
+++ b/packet-cdp.c
@@ -2,7 +2,7 @@
  * Routines for the disassembly of the "Cisco Discovery Protocol"
  * (c) Copyright Hannes R. Boehm <hannes@boehm.org>
  *
- * $Id: packet-cdp.c,v 1.37 2001/06/18 02:17:45 guy Exp $
+ * $Id: packet-cdp.c,v 1.38 2001/06/20 05:18:36 guy Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@zing.org>
@@ -134,6 +134,18 @@ dissect_cdp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 	while (tvb_reported_length_remaining(tvb, offset) != 0) {
 	    type = tvb_get_ntohs(tvb, offset + TLV_TYPE);
 	    length = tvb_get_ntohs(tvb, offset + TLV_LENGTH);
+	    if (length < 4) {
+		tlvi = proto_tree_add_text(cdp_tree, tvb, offset, 4,
+		    "TLV with invalid length %u (< 4)",
+		    length);
+		tlv_tree = proto_item_add_subtree(tlvi, ett_cdp_tlv);
+		proto_tree_add_uint(tlv_tree, hf_cdp_tlvtype, tvb,
+			    offset + TLV_TYPE, 2, type);
+		proto_tree_add_uint(tlv_tree, hf_cdp_tlvlength, tvb,
+			    offset + TLV_LENGTH, 2, length);
+		offset += 4;
+		break;
+	    }
 
 	    switch (type) {
author	Guy Harris <guy@alum.mit.edu>	2001-06-20 05:18:36 +0000
committer	Guy Harris <guy@alum.mit.edu>	2001-06-20 05:18:36 +0000
commit	5d8b3d565986cd3925e615b5c09bfbd7b9f9fe61 (patch)
tree	b2d5635314dd619fd1317e403c1c2d689ffce963 /packet-cdp.c
parent	8073087bdfcbade2ddec1bddec3e11fa22968b07 (diff)