diff options
author | Evan Huus <eapache@gmail.com> | 2015-03-01 18:33:10 -0500 |
---|---|---|
committer | Evan Huus <eapache@gmail.com> | 2015-03-02 14:11:34 +0000 |
commit | 608cf324b3962877e9699f3e81e8f82ac9f1ea14 (patch) | |
tree | 1648cf7747c900353ff01a58b817141eda7fcf85 /epan/dissectors/packet-tnef.c | |
parent | 724c2ed4c8a76ea2ebfb9ef846fcdf092ff35d6a (diff) |
tnef: fix overflow leading to infinite loop
Thanks to Vlad Tsyrklevich for the report, and Fabian Yamaguchi for the "joern"
tool which found the bug.
Bug: 11023
Change-Id: I53bc998c9934736698e7db5eba09a14e79a7c633
Reviewed-on: https://code.wireshark.org/review/7461
Petri-Dish: Evan Huus <eapache@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Evan Huus <eapache@gmail.com>
Diffstat (limited to 'epan/dissectors/packet-tnef.c')
-rw-r--r-- | epan/dissectors/packet-tnef.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/epan/dissectors/packet-tnef.c b/epan/dissectors/packet-tnef.c index 865042ab28..09f48be1f3 100644 --- a/epan/dissectors/packet-tnef.c +++ b/epan/dissectors/packet-tnef.c @@ -604,7 +604,10 @@ static void dissect_tnef(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) } } - offset += length; + /* check for overflow */ + if (offset + length > (guint32)offset) { + offset += length; + } proto_tree_add_item(attr_tree, hf_tnef_attribute_checksum, tvb, offset, 2, ENC_LITTLE_ENDIAN); offset += 2; |