diff options
author | Gerald Combs <gerald@wireshark.org> | 2011-05-13 17:12:44 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2011-05-13 17:12:44 +0000 |
commit | 14a9ef9cb2a627e488821b43678e1a67b12fa5d7 (patch) | |
tree | d58322add8ecdaf5bd09ed5d288c97fd7ce2611a | |
parent | dece07c8f3971c176c819337277f5fdfefe071c0 (diff) |
From Huzaifa Sidhpurwala of the Red Hat Security Response Team: Fix an
integer overflow in wiretap/visual.c.
svn path=/trunk/; revision=37128
-rw-r--r-- | wiretap/visual.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/wiretap/visual.c b/wiretap/visual.c index 306fb0211b..9c48fe22be 100644 --- a/wiretap/visual.c +++ b/wiretap/visual.c @@ -420,6 +420,15 @@ static gboolean visual_read(wtap *wth, int *err, gchar **err_info, break; } + if (wth->phdr.len > WTAP_MAX_PACKET_SIZE) { + /* Check if wth->phdr.len is sane, small values of wth.phdr.len before + the case loop above can cause integer underflows */ + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup_printf("visual: File has %u-byte original packet, bigger than maximum of %u", + wth->phdr.len, WTAP_MAX_PACKET_SIZE); + return FALSE; + } + /* Sanity check */ if (wth->phdr.len < wth->phdr.caplen) { |