diff options
author | Pascal Quantin <pascal.quantin@gmail.com> | 2017-11-28 22:08:18 +0100 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2017-11-29 04:35:19 +0000 |
commit | 041e3e7c27c78308d0d515171f52a39f8260782b (patch) | |
tree | 49e1b332229cea7f1b3dee437c10f13fed01b9cb | |
parent | e29378b030dc58948263abead03f7e1a49e3f415 (diff) |
CIP Safety: check packet length before dissecting
Otherwise we can call CRC functions with a negative value, leading to
a segmentation fault.
Bug: 14250
Change-Id: I394fa91a5cfa1700fb12441d4884c0367b39df8b
Reviewed-on: https://code.wireshark.org/review/24621
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
-rw-r--r-- | epan/dissectors/packet-cipsafety.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/epan/dissectors/packet-cipsafety.c b/epan/dissectors/packet-cipsafety.c index 233e6b5161..6156decb7d 100644 --- a/epan/dissectors/packet-cipsafety.c +++ b/epan/dissectors/packet-cipsafety.c @@ -1511,6 +1511,11 @@ dissect_cip_safety_data( proto_tree *tree, proto_item *item, tvbuff_t *tvb, int /* compute the base packet length to determine what is actual I/O data */ base_length = multicast ? 12 : 6; + if (item_length <= base_length) { + expert_add_info(pinfo, item, &ei_mal_io); + return; + } + if (((conn_type == ECIDT_O2T) && (server_dir == FALSE)) || ((conn_type == ECIDT_T2O) && (server_dir == TRUE))) { |