ipsec: Don't use NULL heuristic if padding length is impossible

If the ESP NULL heuristic is on, but interpreting the padding length byte as unencrypted would leave fewer than zero bytes remaining for the payload tvb, just consider the heuristic failed instead of trying to create the next_tvb subset and thus throwing an error.
author: John Thacker <johnthacker@gmail.com> 2022-02-01 19:32:09 -0500
committer: A Wireshark GitLab Utility <gerald+gitlab-utility@wireshark.org> 2022-02-02 01:05:16 +0000
commit: 09ecc11be550f7af4f2c953beb8a0eb7188fc063 (patch)
tree: 1e8bdcd7335cd7a40555f349a55d3626667c4fe5
parent: 8ef0114995fa64b29b521924fdc654c48ccf5ca4 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/dissectors/packet-ipsec.c b/epan/dissectors/packet-ipsec.c
index f229f8b1c3..4d18fd5db0 100644
--- a/epan/dissectors/packet-ipsec.c
+++ b/epan/dissectors/packet-ipsec.c
@@ -2196,7 +2196,7 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
         esp_pad_len = tvb_get_guint8(tvb, esp_packet_len - 14);
         encapsulated_protocol = tvb_get_guint8(tvb, esp_packet_len - 13);
         dissector_handle = dissector_get_uint_handle(ip_dissector_table, encapsulated_protocol);
-        if (dissector_handle) {
+        if (dissector_handle && (ESP_HEADER_LEN + 14 + esp_pad_len) <= esp_packet_len) {
           saved_match_uint  = pinfo->match_uint;
           pinfo->match_uint = encapsulated_protocol;
           next_tvb = tvb_new_subset_length(tvb, ESP_HEADER_LEN, esp_packet_len - ESP_HEADER_LEN - 14 - esp_pad_len);
author	John Thacker <johnthacker@gmail.com>	2022-02-01 19:32:09 -0500
committer	A Wireshark GitLab Utility <gerald+gitlab-utility@wireshark.org>	2022-02-02 01:05:16 +0000
commit	09ecc11be550f7af4f2c953beb8a0eb7188fc063 (patch)
tree	1e8bdcd7335cd7a40555f349a55d3626667c4fe5
parent	8ef0114995fa64b29b521924fdc654c48ccf5ca4 (diff)