diff options
| author | Gerald Combs <gerald@wireshark.org> | 2005-04-29 14:25:07 +0000 |
|---|---|---|
| committer | Gerald Combs <gerald@wireshark.org> | 2005-04-29 14:25:07 +0000 |
| commit | c7dfef632137c9eff4182aae89703a4616091ad1 (patch) | |
| tree | f0c1da24e83be8ae983a36e5a62f254c87267d2c | |
| parent | f905153266e99bd58b8677833d66b755ca42042f (diff) | |
Break out of another large-but-not-infinite loop. Fixes bug 143.
svn path=/trunk/; revision=14229
| -rw-r--r-- | epan/dissectors/packet-ncp2222.inc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/epan/dissectors/packet-ncp2222.inc b/epan/dissectors/packet-ncp2222.inc index 36749acd27..cdbd25d0df 100644 --- a/epan/dissectors/packet-ncp2222.inc +++ b/epan/dissectors/packet-ncp2222.inc @@ -2594,7 +2594,7 @@ process_multivalues(proto_tree *ncp_tree, tvbuff_t *tvb, nds_val *values) { guint32 i; guint32 r; - guint32 ioffset = 0; + guint32 ioffset = 0, oldioffset; guint32 value1 = 0; guint32 value2 = 0; guint8 value3 = 0; @@ -2920,8 +2920,14 @@ process_multivalues(proto_tree *ncp_tree, tvbuff_t *tvb, nds_val *values) break; case MVTYPE_ATTR_REQUEST2: /* Attribute Request */ + oldioffset = 0; for (i = 1 ; i <= values->vvalue; i++ ) { + if (oldioffset >= ioffset) { + proto_tree_add_text(ntree, tvb, 0, 0, "[ Invalid offset: %u ]", ioffset); + return; + } + oldioffset = ioffset; ioffset += align_4(tvb, ioffset); value1 = tvb_get_letohl(tvb, ioffset); proto_tree_add_uint_format(ntree, hf_nds_uint32value, tvb, ioffset, |