diff options
author | Anders Broman <anders.broman@ericsson.com> | 2012-04-18 05:24:32 +0000 |
---|---|---|
committer | Anders Broman <anders.broman@ericsson.com> | 2012-04-18 05:24:32 +0000 |
commit | 67c79aea50d5f409b87ff52c5bbdb59829bd8f64 (patch) | |
tree | 8fc303ad02e34603a1440401294a9bf6e36215d9 /epan/dissectors/packet-ltp.c | |
parent | 477185a38715414928fe691f5c88ae6b05b15c5f (diff) |
From Evan Huus: Catch impossible sub-field counts. Fixes LTP infinite loop https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7124
svn path=/trunk/; revision=42121
Diffstat (limited to 'epan/dissectors/packet-ltp.c')
-rw-r--r-- | epan/dissectors/packet-ltp.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/epan/dissectors/packet-ltp.c b/epan/dissectors/packet-ltp.c index f80e145658..1f697abd38 100644 --- a/epan/dissectors/packet-ltp.c +++ b/epan/dissectors/packet-ltp.c @@ -437,6 +437,17 @@ dissect_report_segment(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ltp_tree, expert_add_info_format(pinfo, ltp_tree, PI_UNDECODED, PI_ERROR, "Negative reception claim count: %d", rcpt_clm_cnt); return 0; } + /* Each reception claim is at least 2 bytes, so if the count is larger than the + * max number of claims we can possibly squeeze into the remaining tvbuff, then + * the packet is malformed. + */ + if (rcpt_clm_cnt > tvb_length_remaining(tvb, frame_offset + segment_offset) / 2) { + proto_item_set_end(ltp_rpt_item, tvb, frame_offset + segment_offset); + expert_add_info_format(pinfo, ltp_tree, PI_MALFORMED, PI_ERROR, + "Reception claim count impossibly large: %d > %d", rcpt_clm_cnt, + tvb_length_remaining(tvb, frame_offset + segment_offset) / 2); + return 0; + } proto_tree_add_uint(ltp_rpt_tree, hf_ltp_rpt_clm_cnt, tvb, frame_offset + segment_offset, rcpt_clm_cnt_size, rcpt_clm_cnt); segment_offset += rcpt_clm_cnt_size; |