diff options
| author | Guy Harris <guy@alum.mit.edu> | 2012-12-26 22:05:41 +0000 |
|---|---|---|
| committer | Guy Harris <guy@alum.mit.edu> | 2012-12-26 22:05:41 +0000 |
| commit | 46e9f63fb2ee185cbdb45a03517dd20d5dc48ce1 (patch) | |
| tree | e1038ca0e080476722859e4d1532c60a10635ab3 /epan/dissectors/packet-gsm_a_bssmap.c | |
| parent | 074297d7dd616773a5ba25fbf77c945faf1faf46 (diff) | |
Do array bounds checking.
svn path=/trunk/; revision=46793
Diffstat (limited to 'epan/dissectors/packet-gsm_a_bssmap.c')
| -rw-r--r-- | epan/dissectors/packet-gsm_a_bssmap.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/epan/dissectors/packet-gsm_a_bssmap.c b/epan/dissectors/packet-gsm_a_bssmap.c index 51ace65f2f..8c6e6df0d6 100644 --- a/epan/dissectors/packet-gsm_a_bssmap.c +++ b/epan/dissectors/packet-gsm_a_bssmap.c @@ -4615,6 +4615,8 @@ static guint16 (*bssmap_bss_to_bss_element_fcn[])(tvbuff_t *tvb, proto_tree *tre NULL, /* NONE */ }; +#define NUM_BSS_ELEMENT_FCNS (int)(sizeof(bssmap_bss_to_bss_element_fcn)/(sizeof bssmap_bss_to_bss_element_fcn[0])) + static guint16 be_field_element_dissect(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, guint len _U_, gchar *add_string _U_, int string_len _U_) { @@ -4652,7 +4654,8 @@ be_field_element_dissect(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, gu /* * decode field element */ - if (idx < 0 || (bssmap_bss_to_bss_element_fcn[idx] == NULL)) + if (idx < 0 || idx >= NUM_BSS_ELEMENT_FCNS || + (bssmap_bss_to_bss_element_fcn[idx] == NULL)) { proto_tree_add_text(bss_to_bss_tree, tvb, curr_offset, ie_len, @@ -6738,7 +6741,7 @@ bssmap_reset_ip_res_ack(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo _U_, /* LCLS-Break-Request 3.2.2.120 BSS-MSC O (note 1) 1 */ #endif -#define NUM_GSM_BSSMAP_MSG (sizeof(gsm_a_bssmap_msg_strings)/sizeof(value_string)) +#define NUM_GSM_BSSMAP_MSG (int)(sizeof(gsm_a_bssmap_msg_strings)/sizeof(value_string)) static gint ett_gsm_bssmap_msg[NUM_GSM_BSSMAP_MSG]; static void (*bssmap_msg_fcn[])(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, guint len) = { @@ -6874,6 +6877,7 @@ static void (*bssmap_msg_fcn[])(tvbuff_t *tvb, proto_tree *tree, packet_info *pi NULL, /* NONE */ }; +#define NUM_BSSMAP_MSG_FCNS (int)(sizeof(bssmap_msg_fcn)/sizeof(bssmap_msg_fcn[0])) void dissect_bssmap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) @@ -6936,7 +6940,7 @@ dissect_bssmap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) /* These two conditions are actually the same, but checking idx makes it * obvious we won' t use a potentially negative idx in the else case. */ - if (str == NULL || idx < 0) + if (str == NULL || idx < 0 || idx >= NUM_GSM_BSSMAP_MSG) { bssmap_item = proto_tree_add_protocol_format(tree, proto_a_bssmap, tvb, 0, len, @@ -6975,7 +6979,7 @@ dissect_bssmap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) /* * decode elements */ - if (idx < 0 || bssmap_msg_fcn[idx] == NULL) { + if (idx < 0 || idx >= NUM_BSSMAP_MSG_FCNS || bssmap_msg_fcn[idx] == NULL) { proto_tree_add_text(bssmap_tree, tvb, offset, len - offset, "Message Elements"); |