RPCoRDMA: Set an upper bound for our chunk size.

Make sure our write chunk size doesn't exceed our tvbuff. Adjust a few
length checks.

Bug: 14449
Change-Id: If9dd8a6094830c5b47adfff0acb3ff726168e801
Reviewed-on: https://code.wireshark.org/review/25943
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>

1 files changed, 8 insertions, 3 deletions

diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c
index 8b52bf2c0a..bed6754942 100644
--- a/epan/dissectors/packet-rpcrdma.c
+++ b/epan/dissectors/packet-rpcrdma.c
@@ -148,8 +148,13 @@ static guint get_read_list_chunk_count(tvbuff_t *tvb, guint offset)
 static guint get_write_chunk_size(tvbuff_t *tvb, guint offset)
 {
     guint segment_count;
+    guint max_count = (guint)tvb_reported_length_remaining(tvb, offset + 4) / 16;
 
     segment_count = tvb_get_ntohl(tvb, offset);
+    if (segment_count > max_count) {
+        /* XXX We should throw an exception here. */
+        segment_count = max_count;
+    }
     return 4 + (segment_count * 16);
 }
 
@@ -167,8 +172,8 @@ static guint get_write_list_size(tvbuff_t *tvb, guint max_offset, guint offset)
             break;
 
         chunk_size = get_write_chunk_size(tvb, offset);
-        if ((offset + chunk_size) < offset ||
-            (offset + chunk_size) > max_offset)
+        if ((offset > max_offset) ||
+            (max_offset - offset < chunk_size))
             return 0;
         offset += chunk_size;
     }
@@ -190,7 +195,7 @@ static guint get_write_list_chunk_count(tvbuff_t *tvb, guint offset)
 
         num_chunks++;
         chunk_size = get_write_chunk_size(tvb, offset);
-        if ((offset + chunk_size) < offset)
+        if (chunk_size == 0)
             break;
         offset += chunk_size;
     }