diff options
| author | Gerald Combs <gerald@wireshark.org> | 2005-06-15 22:08:43 +0000 |
|---|---|---|
| committer | Gerald Combs <gerald@wireshark.org> | 2005-06-15 22:08:43 +0000 |
| commit | 979d807cf5d1768ce8e891e7196f29a902209457 (patch) | |
| tree | 3c9dbaf965b21f5380fbfaa5a53dd2605722bead /epan/dissectors/packet-dcerpc-browser.c | |
| parent | c2b95343987537cca02ec6fddb9c30c39967a316 (diff) | |
Make sure dissect_browser_TYPE_12_data() returns the right value. Catch
integer overflows in that and other functions. Fixes bug 236.
svn path=/trunk/; revision=14640
Diffstat (limited to 'epan/dissectors/packet-dcerpc-browser.c')
| -rw-r--r-- | epan/dissectors/packet-dcerpc-browser.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/epan/dissectors/packet-dcerpc-browser.c b/epan/dissectors/packet-dcerpc-browser.c index 38da56a299..6a086ebcba 100644 --- a/epan/dissectors/packet-dcerpc-browser.c +++ b/epan/dissectors/packet-dcerpc-browser.c @@ -94,6 +94,7 @@ dissect_browser_TYPE_4_data(tvbuff_t *tvb, int offset, { guint32 len; dcerpc_info *di; + int old_offset = offset; di=pinfo->private_data; if(di->conformant_run){ @@ -108,6 +109,8 @@ dissect_browser_TYPE_4_data(tvbuff_t *tvb, int offset, proto_tree_add_item(tree, hf_browser_unknown_bytes, tvb, offset, len, FALSE); offset += len; + if (offset < old_offset) + THROW(ReportedBoundsError); return len; } @@ -140,6 +143,7 @@ dissect_browser_TYPE_3_data(tvbuff_t *tvb, int offset, { guint32 len; dcerpc_info *di; + int old_offset = offset; di=pinfo->private_data; if(di->conformant_run){ @@ -155,6 +159,8 @@ dissect_browser_TYPE_3_data(tvbuff_t *tvb, int offset, proto_tree_add_item(tree, hf_browser_unknown_bytes, tvb, offset, len, FALSE); offset += len; + if (offset < old_offset) + THROW(ReportedBoundsError); return len; } @@ -743,6 +749,7 @@ dissect_browser_TYPE_9_data(tvbuff_t *tvb, int offset, { guint32 len; dcerpc_info *di; + int old_offset = offset; di=pinfo->private_data; if(di->conformant_run){ @@ -759,6 +766,8 @@ dissect_browser_TYPE_9_data(tvbuff_t *tvb, int offset, proto_tree_add_item(tree, hf_browser_unknown_bytes, tvb, offset, len, FALSE); offset += len; + if (offset < old_offset) + THROW(ReportedBoundsError); return len; } @@ -932,6 +941,7 @@ dissect_browser_TYPE_12_data(tvbuff_t *tvb, int offset, { guint32 len; dcerpc_info *di; + int old_offset = offset; di=pinfo->private_data; if(di->conformant_run){ @@ -948,8 +958,10 @@ dissect_browser_TYPE_12_data(tvbuff_t *tvb, int offset, proto_tree_add_item(tree, hf_browser_unknown_bytes, tvb, offset, len, FALSE); offset += len; + if (offset < old_offset) + THROW(ReportedBoundsError); - return len; + return offset; } static int dissect_browser_TYPE_12(tvbuff_t *tvb, int offset, |