netlink: don't use -1 to mean "to end of packet".

Add dissect_netlink_attributes_to_end(), which takes no length argument,
and uses tvb_ensure_reported_length() to get the remaining length in the
packet.

In dissect_netlink_attributes_common(), treat negative lengths as if
they were a positive length >= 2^31, and throw a reported bounds error.

Also, throw a bounds error if there's more padding to a 4-byte boundary
than there is data in the packet.

At that point, we know the length is positive, so assign it to an
unsigned variable and use *that* in the loop.  Throw an error if the
attribute goes past the end of the packet (although we presumably would
have done that already).

(We really should eliminate all use of -1 as "to the end", and make
lengths unsigned.  We should also get rid of any places where we're
using negative offsets as offsets from the end of the packet - in the
few cases where you're dealing with trailers, you want to do that
carefully, so as not to throw an exception dissecting the trailer before
you get around to dissecting the rest of the packet - and make offsets
unsigned as well.)

1 files changed, 1 insertions, 1 deletions

diff --git a/epan/dissectors/packet-netlink-route.c b/epan/dissectors/packet-netlink-route.c
index ff0befdf59..c2bd584578 100644
--- a/epan/dissectors/packet-netlink-route.c
+++ b/epan/dissectors/packet-netlink-route.c
@@ -407,7 +407,7 @@ dissect_netlink_route_attributes(tvbuff_t *tvb, header_field_info *hfi_type, str
 	 */
 
 	/* XXX, nice */
-	return dissect_netlink_attributes(tvb, hfi_type, ett_netlink_route_attr, info, nl_data, tree, offset, -1, cb);
+	return dissect_netlink_attributes_to_end(tvb, hfi_type, ett_netlink_route_attr, info, nl_data, tree, offset, cb);
 }
 
 /* Interface */