From Dirk:

CAPWAP dissector tries to allocate -1 bytes of memory during reassembly. - changed to return offset. svn path=/trunk/; revision=39779
author: Anders Broman <anders.broman@ericsson.com> 2011-11-10 06:07:16 +0000
committer: Anders Broman <anders.broman@ericsson.com> 2011-11-10 06:07:16 +0000
commit: 4c379bc979f61169e5cc6997a6b00372d3378785 (patch)
tree: b40b739960c6de1915c3e68f5c742c65c939f684 /epan/dissectors/packet-capwap.c
parent: b529b73943cc21dab3bcf75eb5e1437a5660966d (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/epan/dissectors/packet-capwap.c b/epan/dissectors/packet-capwap.c
index a56075c07c..2f2f908d8e 100644
--- a/epan/dissectors/packet-capwap.c
+++ b/epan/dissectors/packet-capwap.c
@@ -1374,13 +1374,17 @@ dissect_capwap_control(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 
 	if (global_capwap_reassemble && fragment_is)
 	{
+		const int len_rem = tvb_length_remaining(tvb, offset);
+		if (len_rem <= 0) 
+			return offset;
+
 		pinfo->fragmented = TRUE;
 
 		frag_msg = fragment_add_check(tvb, offset, pinfo,fragment_id,
 		                              capwap_fragment_table,
 		                              capwap_reassembled_table,
 		                              fragment_offset,
-		                              tvb_length_remaining(tvb, offset),
+		                              len_rem,
 		                              fragment_more);
 
 		next_tvb = process_reassembled_data(tvb, offset, pinfo,
author	Anders Broman <anders.broman@ericsson.com>	2011-11-10 06:07:16 +0000
committer	Anders Broman <anders.broman@ericsson.com>	2011-11-10 06:07:16 +0000
commit	4c379bc979f61169e5cc6997a6b00372d3378785 (patch)
tree	b40b739960c6de1915c3e68f5c742c65c939f684 /epan/dissectors/packet-capwap.c
parent	b529b73943cc21dab3bcf75eb5e1437a5660966d (diff)