packet-epl.c: Fix bounds error on malformed packet

dissect_epl_payload is called with len retrieved from the packet payload, so we've to ensure there are indeed at least len bytes remaining in the tvbuff. Counting the remaining bytes has to start from the _current_ offset, not from the start of the buffer. Change-Id: I6f4a94e8503cde6c5eaadc43f560c15ef8c1c375 Reviewed-on: https://code.wireshark.org/review/21829 Reviewed-by: Michael Mann <mmann78@netscape.net> Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Roland Knall <rknall@gmail.com>
author: Ahmad Fatoum <ahmad@a3f.at> 2017-05-30 22:25:23 +0200
committer: Roland Knall <rknall@gmail.com> 2017-05-31 19:47:41 +0000
commit: 855a05cd1e2e0cb234ffaa56c680ebd21a6ba14f (patch)
tree: 2ffd00035f8fd18249215e4b2ca8a774052d1610 /epan/dissectors/packet-epl.c
parent: 7f96ffe5d48eed4974582a11d87bdde86e192141 (diff)
1 files changed, 8 insertions, 10 deletions
diff --git a/epan/dissectors/packet-epl.c b/epan/dissectors/packet-epl.c
index 892d599f44..684f7fdd3a 100644
--- a/epan/dissectors/packet-epl.c
+++ b/epan/dissectors/packet-epl.c
@@ -1928,21 +1928,19 @@ decode_epl_address (guchar adr)
 static gint
 dissect_epl_payload ( proto_tree *epl_tree, tvbuff_t *tvb, packet_info *pinfo, gint offset, gint len, guint8 msgType )
 {
-	gint off = 0, rem_len = 0, pld_rem_len = 0;
+	gint rem_len = 0, payload_len = 0;
 	tvbuff_t * payload_tvb = NULL;
 	heur_dtbl_entry_t *hdtbl_entry = NULL;
 	proto_item * item = NULL;
 
-	off = offset;
-
 	if (len > 0)
 	{
-		rem_len = tvb_captured_length_remaining(tvb, 0);
-		payload_tvb = tvb_new_subset_length(tvb, off, len > rem_len ? rem_len : len);
-		pld_rem_len = tvb_captured_length_remaining(payload_tvb, 0);
-		if ( pld_rem_len < len )
+		rem_len = tvb_captured_length_remaining(tvb, offset);
+		payload_tvb = tvb_new_subset_length(tvb, offset, MIN(len, rem_len));
+		payload_len = tvb_captured_length_remaining(payload_tvb, 0);
+		if ( payload_len < len )
 		{
-			item = proto_tree_add_uint(epl_tree, hf_epl_payload_real, tvb, off, pld_rem_len, pld_rem_len);
+			item = proto_tree_add_uint(epl_tree, hf_epl_payload_real, tvb, offset, payload_len, payload_len);
 			PROTO_ITEM_SET_GENERATED(item);
 			expert_add_info(pinfo, item, &ei_real_length_differs );
 		}
@@ -1950,10 +1948,10 @@ dissect_epl_payload ( proto_tree *epl_tree, tvbuff_t *tvb, packet_info *pinfo, g
 		if ( ! dissector_try_heuristic(heur_epl_data_subdissector_list, payload_tvb, pinfo, epl_tree, &hdtbl_entry, &msgType))
 			call_data_dissector(payload_tvb, pinfo, epl_tree);
 
-		off += len;
+		offset += payload_len;
 	}
 
-	return off;
+	return offset;
 }
 
 gint
author	Ahmad Fatoum <ahmad@a3f.at>	2017-05-30 22:25:23 +0200
committer	Roland Knall <rknall@gmail.com>	2017-05-31 19:47:41 +0000
commit	855a05cd1e2e0cb234ffaa56c680ebd21a6ba14f (patch)
tree	2ffd00035f8fd18249215e4b2ca8a774052d1610 /epan/dissectors/packet-epl.c
parent	7f96ffe5d48eed4974582a11d87bdde86e192141 (diff)