In smb_trans_defragment(), throw an exception if we encounter a too-large

fragment size.  The limit is conservatively set at 65536 bytes.  It may
have to be increased.  Fixes bug 421.

Add an entry to the release notes.

svn path=/trunk/; revision=15789

2 files changed, 17 insertions, 0 deletions

diff --git a/docbook/release-notes.xml b/docbook/release-notes.xml
index 7735c15eab..2d962683ef 100644
--- a/docbook/release-notes.xml
+++ b/docbook/release-notes.xml
@@ -156,6 +156,14 @@ Gnu info
 	  Versions affected: 0.10.12.
 	</para></listitem>
 
+	<listitem><para>
+	  If SMB transaction payload reassembly is enabled the SMB
+	  dissector could crash.  This preference is disabled by default.
+	  <!-- Fixed in r15789 -->
+	  <!-- Bug IDs: 421 -->
+	  Versions affected: 0.9.7 to 0.10.12.
+	</para></listitem>
+
       </itemizedlist>
     </para>
 
diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c
index 8d96725f21..74c85b6e51 100644
--- a/epan/dissectors/packet-smb.c
+++ b/epan/dissectors/packet-smb.c
@@ -826,6 +826,11 @@ smb_trans_reassembly_init(void)
 	fragment_table_init(&smb_trans_fragment_table);
 }
 
+/*
+ * XXX - This keeps us from allocating huge amounts of memory as shown in
+ * bug 421.  It may need to be increased.
+ */
+#define MAX_FRAGMENT_SIZE 65536
 static fragment_data *
 smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb,
 		     int offset, int count, int pos, int totlen)
@@ -834,6 +839,10 @@ smb_trans_defragment(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb,
 	smb_info_t *si;
 	int more_frags;
 
+	if (count > MAX_FRAGMENT_SIZE || count < 0) {
+		THROW(ReportedBoundsError);
+	}
+
 	more_frags=totlen>(pos+count);
 
 	si = (smb_info_t *)pinfo->private_data;