diff options
author | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2014-10-18 16:45:01 +0200 |
---|---|---|
committer | Michael Mann <mmann78@netscape.net> | 2014-10-18 17:12:18 +0000 |
commit | 8a10f77ab4d7722efc95170771540eb93b2c2f16 (patch) | |
tree | 7ea6b970974bde35c28ed898b9deebcc64cd7421 /epan/dissectors/packet-mip6.c | |
parent | 31c119fa789782190cea2608decaa114318bb5d8 (diff) |
MIPv6: Mobility Option Binding Authorization Data for FMIPv6 Authenticator field is read beyond the option data
There's a single IPv6 packet with Binding Authorization Data for FMIPv6 mobility option.
The option's data length is 14 but and since the SPI takes 4 bytes, the Authenticator field should take 10 bytes.
However, the Authenticator field is read until the end of the packet, which is 178 bytes.
Found by boaz
Bug: 10577
Change-Id: Ia79c5131d8477c1a7c111c47c2a94e990bbeae4d
Reviewed-on: https://code.wireshark.org/review/4817
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/dissectors/packet-mip6.c')
-rw-r--r-- | epan/dissectors/packet-mip6.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/dissectors/packet-mip6.c b/epan/dissectors/packet-mip6.c index a89a9138ba..b776675d0e 100644 --- a/epan/dissectors/packet-mip6.c +++ b/epan/dissectors/packet-mip6.c @@ -2279,7 +2279,7 @@ dissect_mip6_opt_badff(const mip6_opt *optp _U_, tvbuff_t *tvb, int offset, proto_tree_add_item(opt_tree, hf_mip6_opt_badff_spi, tvb, offset, 4, ENC_BIG_ENDIAN); offset += 4; - proto_tree_add_item(opt_tree, hf_mip6_opt_badff_auth, tvb, offset, -1, ENC_NA); + proto_tree_add_item(opt_tree, hf_mip6_opt_badff_auth, tvb, offset, optlen-4-2, ENC_NA); } |