diff options
| author | Jeff Morriss <jeff.morriss@ulticom.com> | 2011-05-02 14:27:48 +0000 |
|---|---|---|
| committer | Jeff Morriss <jeff.morriss@ulticom.com> | 2011-05-02 14:27:48 +0000 |
| commit | 60cefeae89f5d1600d860dfe8b9ea34bda0d8236 (patch) | |
| tree | 98e5f680855e7ff78507317ee0f55a5e21e05d66 /epan/dissectors/packet-mux27010.c | |
| parent | c92938bbc00fe008fedbce36edb04cc097d2a2e9 (diff) | |
Fix the (fuzzed) memory allocation failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5880 :
Don't attempt to reassemble a message if the length of the fragment is negative.
svn path=/trunk/; revision=36964
Diffstat (limited to 'epan/dissectors/packet-mux27010.c')
| -rw-r--r-- | epan/dissectors/packet-mux27010.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/epan/dissectors/packet-mux27010.c b/epan/dissectors/packet-mux27010.c index 9af1526347..5e6c6b6eaa 100644 --- a/epan/dissectors/packet-mux27010.c +++ b/epan/dissectors/packet-mux27010.c @@ -31,6 +31,7 @@ #include <epan/packet.h> #include <epan/reassemble.h> #include <epan/crc8.h> +#include <expert.h> #include <string.h> @@ -1025,8 +1026,8 @@ dissect_mux27010(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) guint8 msg_flag; fragment_data *frag_msg = NULL; - tvbuff_t* new_tvb = NULL; - tvbuff_t* next_tvb2 = NULL; + tvbuff_t *new_tvb = NULL; + tvbuff_t *next_tvb2 = NULL; packet_info pinfo_tmp; @@ -1041,12 +1042,21 @@ dissect_mux27010(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) msg_end = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1; msg_flag = tvb_get_guint8(tvb, tmpOffset); tmpOffset += 1; + if (msg_end <= msg_start) { + proto_item *pi; + pi = proto_tree_add_text(field_tree, tvb, tmpOffset-3, 2, + "Message start and end are illogical, aborting dissection"); + expert_add_info_format(pinfo, pi, PI_MALFORMED, PI_ERROR, + "Message start and end are illogical"); + continue; + } + tmpOffsetBegin = sizeMuxPPPHeader + 1 + msg_start; /*+ Header_Size, + Direction*/ tmpOffsetEnd = sizeMuxPPPHeader + 1 + msg_end; pinfo->fragmented = TRUE; - memcpy(&pinfo_tmp, pinfo,sizeof(*pinfo)); + memcpy(&pinfo_tmp, pinfo, sizeof(*pinfo)); frag_msg = fragment_add_seq_check(tvb, tmpOffsetBegin, pinfo, msg_seqid, /* ID for fragments belonging together */ @@ -1063,12 +1073,12 @@ dissect_mux27010(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) NULL, mux27010_tree); if (!frag_msg) { /* Not last packet of reassembled Message */ - g_snprintf(colInfoText,sizeof(colInfoText),"%s [Splitted Msg]", colInfoText); + g_snprintf(colInfoText, sizeof(colInfoText), "%s [Splitted Msg]", colInfoText); } if (new_tvb) { /* take it all */ next_tvb2 = tvb_new_subset(new_tvb, 1, -1, -1); - call_dissector( ppp_handle, next_tvb2, pinfo, tree ); + call_dissector(ppp_handle, next_tvb2, pinfo, tree); } pinfo = &pinfo_tmp; |