QUIC: Fix some issue (Malformed frame) with handshake heuristics

Need to check if there is data before get a value... Change-Id: I45592e9a2c55a5bce57a40f7e3153e8f540ca316 Reviewed-on: https://code.wireshark.org/review/10636 Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
author: Alexis La Goutte <alexis.lagoutte@gmail.com> 2015-09-24 10:56:23 +0200
committer: Alexis La Goutte <alexis.lagoutte@gmail.com> 2015-09-24 14:41:20 +0000
commit: af0e93c05685c8e3ffdca0d48b947767860105a9 (patch)
tree: f3081b820e0aadc270eedf5dd4351c9df5af42e7 /epan/dissectors/packet-quic.c
parent: fea2e4aaf84aa73d716070643225134b184dd545 (diff)
1 files changed, 11 insertions, 4 deletions
diff --git a/epan/dissectors/packet-quic.c b/epan/dissectors/packet-quic.c
index 3585eca792..f2ac58203c 100644
--- a/epan/dissectors/packet-quic.c
+++ b/epan/dissectors/packet-quic.c
@@ -553,6 +553,9 @@ static gboolean is_quic_handshake(tvbuff_t *tvb, guint offset, guint16 len_seq){
                     /* Error Code */
                     offset += 4;
                     /* Reason Phrase Length */
+                    if (tvb_captured_length_remaining(tvb, offset) <= 2){
+                        return FALSE;
+                    }
                     len_reason = tvb_get_ntohs(tvb, offset);
                     offset += 2;
                     /* Reason Phrase */
@@ -567,6 +570,9 @@ static gboolean is_quic_handshake(tvbuff_t *tvb, guint offset, guint16 len_seq){
                     /* Last Good Stream ID */
                     offset += 4;
                     /* Reason Phrase Length */
+                    if (tvb_captured_length_remaining(tvb, offset) <= 2){
+                        return FALSE;
+                    }
                     len_reason = tvb_get_ntohs(tvb, offset);
                     offset += 2;
                     /* Reason Phrase */
@@ -615,7 +621,8 @@ static gboolean is_quic_handshake(tvbuff_t *tvb, guint offset, guint16 len_seq){
 
                 /* Data length */
                 offset += len_data;
-                if ( tvb_captured_length(tvb) <= offset){
+
+                if (tvb_captured_length_remaining(tvb, offset) <= 4){
                     return FALSE;
                 }
 
@@ -645,7 +652,7 @@ static gboolean is_quic_handshake(tvbuff_t *tvb, guint offset, guint16 len_seq){
                 offset += 2;
 
                 /* Num Timestamp */
-                if ( tvb_captured_length(tvb) <= offset){
+                if (tvb_captured_length_remaining(tvb, offset) <= 1){
                     return FALSE;
                 }
                 num_timestamp = tvb_get_guint8(tvb, offset);
@@ -664,7 +671,7 @@ static gboolean is_quic_handshake(tvbuff_t *tvb, guint offset, guint16 len_seq){
 
                 if(frame_type & FTFLAGS_ACK_N){
                     /* Num Ranges */
-                    if ( tvb_captured_length(tvb) <= offset){
+                    if (tvb_captured_length_remaining(tvb, offset) <= 1){
                         return FALSE;
                     }
                     num_ranges = tvb_get_guint8(tvb, offset);
@@ -674,7 +681,7 @@ static gboolean is_quic_handshake(tvbuff_t *tvb, guint offset, guint16 len_seq){
                     offset += num_ranges*(len_missing_packet+1);
 
                     /* Num Revived */
-                    if ( tvb_captured_length(tvb) <= offset){
+                    if (tvb_captured_length_remaining(tvb, offset) <= 1){
                         return FALSE;
                     }
                     num_revived = tvb_get_guint8(tvb, offset);
author	Alexis La Goutte <alexis.lagoutte@gmail.com>	2015-09-24 10:56:23 +0200
committer	Alexis La Goutte <alexis.lagoutte@gmail.com>	2015-09-24 14:41:20 +0000
commit	af0e93c05685c8e3ffdca0d48b947767860105a9 (patch)
tree	f3081b820e0aadc270eedf5dd4351c9df5af42e7 /epan/dissectors/packet-quic.c
parent	fea2e4aaf84aa73d716070643225134b184dd545 (diff)