diff options
| author | Guy Harris <guy@alum.mit.edu> | 2001-08-02 07:16:05 +0000 |
|---|---|---|
| committer | Guy Harris <guy@alum.mit.edu> | 2001-08-02 07:16:05 +0000 |
| commit | bbb52d060b3f0dccf5862a80e9cc8ac1efcf928b (patch) | |
| tree | ac0d48bdc7c3859a2a2a3ebed916a1824d7c1440 | |
| parent | d451acb66cce2ac3e881b66226c43098794dad9b (diff) | |
Put in some checks to make sure we're not running past the end of the
packet; this is far from a complete set of checks - the right way to
make this dissector safe is to tvbuffify it - but it's sufficient to
eliminate most cases where my regression tests bogusly reported that the
packet was dissected differently due to different stuff being past the
end of the packet.
svn path=/trunk/; revision=3807
| -rw-r--r-- | packet-smb.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/packet-smb.c b/packet-smb.c index 8dbcc91163..5f6b8b7ac7 100644 --- a/packet-smb.c +++ b/packet-smb.c @@ -2,7 +2,7 @@ * Routines for smb packet dissection * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com> * - * $Id: packet-smb.c,v 1.86 2001/07/30 07:36:28 guy Exp $ + * $Id: packet-smb.c,v 1.87 2001/08/02 07:16:05 guy Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@zing.org> @@ -9204,6 +9204,9 @@ dissect_transact2_smb(const u_char *pd, int offset, frame_data *fd, proto_tree * /* Build display for: Byte Count (BCC) */ + if (!BYTES_ARE_IN_FRAME(offset, 2)) + return; + ByteCount = GSHORT(pd, offset); if (tree) { @@ -9739,6 +9742,9 @@ dissect_transact_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *p /* Build display for: Total Data Count */ + if (!BYTES_ARE_IN_FRAME(offset, 2)) + return; + TotalDataCount = GSHORT(pd, offset); if (tree) { @@ -9937,6 +9943,9 @@ dissect_transact_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *p /* Build display for: Byte Count (BCC) */ + if (!BYTES_ARE_IN_FRAME(offset, 2)) + return; + ByteCount = GSHORT(pd, offset); if (tree) { @@ -10721,6 +10730,9 @@ dissect_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int /* Handle error code */ + if (!BYTES_ARE_IN_FRAME(SMB_offset + 10, 2)) + return; + if (GSHORT(pd, SMB_offset + 10) & 0x4000) { /* handle NT 32 bit error code */ @@ -10818,6 +10830,9 @@ dissect_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int offset += 1; + if (!BYTES_ARE_IN_FRAME(offset, 2)) + return; + flags2 = GSHORT(pd, offset); if (tree) { @@ -10902,6 +10917,9 @@ dissect_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int /* Now the TID, tree ID */ + if (!BYTES_ARE_IN_FRAME(offset, 2)) + return; + tid = GSHORT(pd, offset); si.tid = tid; @@ -10915,6 +10933,9 @@ dissect_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *tree, int /* Now the PID, Process ID */ + if (!BYTES_ARE_IN_FRAME(offset, 2)) + return; + pid = GSHORT(pd, offset); si.pid = pid; |