Check our original record length. Fixes a crash bug found by Huzaifa

Sidhpurwala of the Red Hat Security Response Team. svn path=/trunk/; revision=37068
author: Gerald Combs <gerald@wireshark.org> 2011-05-11 22:36:59 +0000
committer: Gerald Combs <gerald@wireshark.org> 2011-05-11 22:36:59 +0000
commit: 995d748f0561867b02682d2468fb7ae935866de3 (patch)
tree: da4ac9611b40256bc04dc2c0879d31acf5af48a2 /wiretap
parent: d264cd565898f2fcaf17aea30eb529ddff9db097 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/wiretap/snoop.c b/wiretap/snoop.c
index 89cc8a5f8a..552cdbe37e 100644
--- a/wiretap/snoop.c
+++ b/wiretap/snoop.c
@@ -473,6 +473,16 @@ static gboolean snoop_read(wtap *wth, int *err, gchar **err_info,
 	rec_size = g_ntohl(hdr.rec_len);
 	orig_size = g_ntohl(hdr.orig_len);
 	packet_size = g_ntohl(hdr.incl_len);
+	if (orig_size > WTAP_MAX_PACKET_SIZE) {
+		/*
+		 * Probably a corrupt capture file; don't blow up trying
+		 * to allocate space for an immensely-large packet.
+		 */
+		*err = WTAP_ERR_BAD_RECORD;
+		*err_info = g_strdup_printf("snoop: File has %u-byte original length, bigger than maximum of %u",
+		    orig_size, WTAP_MAX_PACKET_SIZE);
+		return FALSE;
+	}
 	if (packet_size > WTAP_MAX_PACKET_SIZE) {
 		/*
 		 * Probably a corrupt capture file; don't blow up trying
author	Gerald Combs <gerald@wireshark.org>	2011-05-11 22:36:59 +0000
committer	Gerald Combs <gerald@wireshark.org>	2011-05-11 22:36:59 +0000
commit	995d748f0561867b02682d2468fb7ae935866de3 (patch)
tree	da4ac9611b40256bc04dc2c0879d31acf5af48a2 /wiretap
parent	d264cd565898f2fcaf17aea30eb529ddff9db097 (diff)