CIP Safety: check packet length before dissecting

Otherwise we can call CRC functions with a negative value, leading to a segmentation fault. Bug: 14250 Change-Id: I394fa91a5cfa1700fb12441d4884c0367b39df8b Reviewed-on: https://code.wireshark.org/review/24621 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
author: Pascal Quantin <pascal.quantin@gmail.com> 2017-11-28 22:08:18 +0100
committer: Anders Broman <a.broman58@gmail.com> 2017-11-29 04:35:19 +0000
commit: 041e3e7c27c78308d0d515171f52a39f8260782b (patch)
tree: 49e1b332229cea7f1b3dee437c10f13fed01b9cb
parent: e29378b030dc58948263abead03f7e1a49e3f415 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/epan/dissectors/packet-cipsafety.c b/epan/dissectors/packet-cipsafety.c
index 233e6b5161..6156decb7d 100644
--- a/epan/dissectors/packet-cipsafety.c
+++ b/epan/dissectors/packet-cipsafety.c
@@ -1511,6 +1511,11 @@ dissect_cip_safety_data( proto_tree *tree, proto_item *item, tvbuff_t *tvb, int
    /* compute the base packet length to determine what is actual I/O data */
    base_length = multicast ? 12 : 6;
 
+   if (item_length <= base_length) {
+      expert_add_info(pinfo, item, &ei_mal_io);
+      return;
+   }
+
    if (((conn_type == ECIDT_O2T) && (server_dir == FALSE)) ||
        ((conn_type == ECIDT_T2O) && (server_dir == TRUE)))
    {
author	Pascal Quantin <pascal.quantin@gmail.com>	2017-11-28 22:08:18 +0100
committer	Anders Broman <a.broman58@gmail.com>	2017-11-29 04:35:19 +0000
commit	041e3e7c27c78308d0d515171f52a39f8260782b (patch)
tree	49e1b332229cea7f1b3dee437c10f13fed01b9cb
parent	e29378b030dc58948263abead03f7e1a49e3f415 (diff)