diff options
author | Bill Meier <wmeier@newsguy.com> | 2009-08-22 17:12:33 +0000 |
---|---|---|
committer | Bill Meier <wmeier@newsguy.com> | 2009-08-22 17:12:33 +0000 |
commit | 2d91ad03f9323bbe9381eb64a1a133ff52cba99a (patch) | |
tree | c682ef7f7e5dcadc0c2bcabba8c9b77eacfb27f6 | |
parent | 3c86b750e53733ced8e759459c57fe8c82af2aeb (diff) |
Additional validation of 'len' for crc32_ccitt_tvb... fcns;
(-1 is not a valid length);
First of 2 fixes for crash reported in Bug #3925.
svn path=/trunk/; revision=29505
-rw-r--r-- | epan/crc32.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/epan/crc32.c b/epan/crc32.c index 11062c0139..7ea1eb8918 100644 --- a/epan/crc32.c +++ b/epan/crc32.c @@ -202,7 +202,10 @@ crc32_ccitt_seed(const guint8 *buf, guint len, guint32 seed) guint32 crc32_ccitt_tvb(tvbuff_t *tvb, guint len) { - const guint8* buf = tvb_get_ptr(tvb, 0, len); + const guint8* buf; + + tvb_ensure_bytes_exist(tvb, 0, len); /* len == -1 not allowed */ + buf = tvb_get_ptr(tvb, 0, len); return ( crc32_ccitt_seed(buf, len, CRC32_CCITT_SEED) ); } @@ -210,7 +213,10 @@ crc32_ccitt_tvb(tvbuff_t *tvb, guint len) guint32 crc32_ccitt_tvb_offset(tvbuff_t *tvb, guint offset, guint len) { - const guint8* buf = tvb_get_ptr(tvb, offset, len); + const guint8* buf; + + tvb_ensure_bytes_exist(tvb, offset, len); /* len == -1 not allowed */ + buf = tvb_get_ptr(tvb, offset, len); return ( crc32_ccitt(buf, len) ); } @@ -218,7 +224,10 @@ crc32_ccitt_tvb_offset(tvbuff_t *tvb, guint offset, guint len) guint32 crc32_ccitt_tvb_seed(tvbuff_t *tvb, guint len, guint32 seed) { - const guint8* buf = tvb_get_ptr(tvb, 0, len); + const guint8* buf; + + tvb_ensure_bytes_exist(tvb, 0, len); /* len == -1 not allowed */ + buf = tvb_get_ptr(tvb, 0, len); return ( crc32_ccitt_seed(buf, len, seed) ); } @@ -226,7 +235,10 @@ crc32_ccitt_tvb_seed(tvbuff_t *tvb, guint len, guint32 seed) guint32 crc32_ccitt_tvb_offset_seed(tvbuff_t *tvb, guint offset, guint len, guint32 seed) { - const guint8* buf = tvb_get_ptr(tvb, offset, len); + const guint8* buf; + + tvb_ensure_bytes_exist(tvb, offset, len); /* len == -1 not allowed */ + buf = tvb_get_ptr(tvb, offset, len); return ( crc32_ccitt_seed(buf, len, seed) ); } |