diff options
author | Guy Harris <guy@alum.mit.edu> | 2018-05-27 19:42:35 -0700 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2018-05-28 02:44:56 +0000 |
commit | 25118898a931589cfdea4693e056a02b7daecf10 (patch) | |
tree | a1f1d9ec121fcfd5efbb96047c686ae4d53eb09f /epan/dissectors/packet-dcm.c | |
parent | 101b692569f17d14f7165446a8a2ae26415057cb (diff) |
Make sure the offset doesn't overflow.
It'd only overflow if the value is *so* large that it won't fit in the
packet (given that we have a 2^32-1-byte limit on the packet size), so
use tvb_ensure_bytes_exist() to ensure we have the entire value before
processing the value.
(The real problem is that we don't handle the case where there's a value
multiplicity > 1 for some types; in those cases, we should loop,
processing all the values, which would cause us to eventually throw an
exception when we ran past the end of the packet. This is just a quick
fix.)
Bug: 14742
Change-Id: I447ece81d1c84d3b1d218faeb2c155f910208c29
Reviewed-on: https://code.wireshark.org/review/27853
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Diffstat (limited to 'epan/dissectors/packet-dcm.c')
-rw-r--r-- | epan/dissectors/packet-dcm.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/epan/dissectors/packet-dcm.c b/epan/dissectors/packet-dcm.c index 3dd26e0093..e7b7904bac 100644 --- a/epan/dissectors/packet-dcm.c +++ b/epan/dissectors/packet-dcm.c @@ -5758,6 +5758,11 @@ dissect_dcm_tag_value(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, dcm_s guint encoding = (pdv->syntax == DCM_EBE) ? ENC_BIG_ENDIAN : ENC_LITTLE_ENDIAN; + /* Make sure we have all the bytes of the item; this should throw + and exception if vl_max is so large that it causes the offset + to overflow. */ + tvb_ensure_bytes_exist(tvb, offset, vl_max); + /* --------------------------------------------------------------------------- Potentially long types. Obey vl_max --------------------------------------------------------------------------- |