fixed various issues (two serious ones) found by "private" fuzz-testing

svn path=/trunk/; revision=14830
author: Ulf Lamping <ulf.lamping@web.de> 2005-07-01 21:04:13 +0000
committer: Ulf Lamping <ulf.lamping@web.de> 2005-07-01 21:04:13 +0000
commit: 2ce8d2a30f519ad93ef8aaf2e29fcc96ab95c2dd (patch)
tree: c5e1bcc1278dd9072b28d40e266c7a3cae57830c /epan/dissectors/packet-bssgp.c
parent: 22fff1e1f308ed3849c3dddd15eff189bb7326ea (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/epan/dissectors/packet-bssgp.c b/epan/dissectors/packet-bssgp.c
index 2e085f372b..38013c4c6b 100644
--- a/epan/dissectors/packet-bssgp.c
+++ b/epan/dissectors/packet-bssgp.c
@@ -1309,6 +1309,7 @@ decode_mobile_identity(bssgp_ie_t *ie, build_info_t *bi, int ie_start_offset) {
   case BSSGP_MOBILE_IDENTITY_TYPE_IMEISV:
     num_digits = 1 + (ie->value_length - 1) * 2;
     if (odd_even != ODD ) num_digits--;
+    if (num_digits > MAX_NUM_IMSI_DIGITS) THROW(ReportedBoundsError);
 
     i = 0;
     digits[i] = get_masked_guint8(data, BSSGP_MASK_LEFT_OCTET_HALF);
@@ -5377,7 +5378,14 @@ decode_pdu_ran_information(build_info_t *bi) {
   decode_pdu_general(ies, 7, bi);
 
   while (tvb_length_remaining(bi->tvb, bi->offset) >= 4) {
+    guint32 org_offset = bi->offset;
+
     decode_ie(&ies[7], bi);
+
+    /* prevent an endless loop */
+    if(org_offset == bi->offset) {
+        THROW(ReportedBoundsError);
+    }
   }
 }
author	Ulf Lamping <ulf.lamping@web.de>	2005-07-01 21:04:13 +0000
committer	Ulf Lamping <ulf.lamping@web.de>	2005-07-01 21:04:13 +0000
commit	2ce8d2a30f519ad93ef8aaf2e29fcc96ab95c2dd (patch)
tree	c5e1bcc1278dd9072b28d40e266c7a3cae57830c /epan/dissectors/packet-bssgp.c
parent	22fff1e1f308ed3849c3dddd15eff189bb7326ea (diff)