diff options
author | Pascal Quantin <pascal.quantin@gmail.com> | 2016-07-25 09:54:06 +0200 |
---|---|---|
committer | Pascal Quantin <pascal.quantin@gmail.com> | 2016-07-25 07:58:02 +0000 |
commit | 47a5fa850b388fcf4ea762073806f01b459820fe (patch) | |
tree | a9075ad01c2085a832fbf088f2029a08d0dcbd35 | |
parent | 55069dad4a1f0c61e5f9c349389cecff0130cf32 (diff) |
RLC: fix a stack overflow in rlc_decode_li function
The test to check whether the array was full or not was off by 1
Bug: 12664
Change-Id: If2057b71d92c7f03e05b0f4676abc62d5a03ae73
Reviewed-on: https://code.wireshark.org/review/16640
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
-rw-r--r-- | epan/dissectors/packet-rlc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/dissectors/packet-rlc.c b/epan/dissectors/packet-rlc.c index e346a9075b..d573fed329 100644 --- a/epan/dissectors/packet-rlc.c +++ b/epan/dissectors/packet-rlc.c @@ -1813,7 +1813,7 @@ rlc_decode_li(enum rlc_mode mode, tvbuff_t *tvb, packet_info *pinfo, proto_tree li[num_li].tree = tree_add_li(mode, &li[num_li], num_li, li_offs, li_on_2_bytes, tvb, tree); num_li++; - if (num_li > max_li) { + if (num_li >= max_li) { /* OK, so this is not really a malformed packet, but for now, * we will treat it as such, so that it is marked in some way */ expert_add_info(pinfo, li[num_li-1].tree, &ei_rlc_li_too_many); |