tnef: fix overflow leading to infinite loop

Thanks to Vlad Tsyrklevich for the report, and Fabian Yamaguchi for the "joern" tool which found the bug. Bug: 11023 Change-Id: I53bc998c9934736698e7db5eba09a14e79a7c633 Reviewed-on: https://code.wireshark.org/review/7461 Petri-Dish: Evan Huus <eapache@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Evan Huus <eapache@gmail.com>
author: Evan Huus <eapache@gmail.com> 2015-03-01 18:33:10 -0500
committer: Evan Huus <eapache@gmail.com> 2015-03-02 14:11:34 +0000
commit: 608cf324b3962877e9699f3e81e8f82ac9f1ea14 (patch)
tree: 1648cf7747c900353ff01a58b817141eda7fcf85 /epan/dissectors/packet-tnef.c
parent: 724c2ed4c8a76ea2ebfb9ef846fcdf092ff35d6a (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/epan/dissectors/packet-tnef.c b/epan/dissectors/packet-tnef.c
index 865042ab28..09f48be1f3 100644
--- a/epan/dissectors/packet-tnef.c
+++ b/epan/dissectors/packet-tnef.c
@@ -604,7 +604,10 @@ static void dissect_tnef(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
       }
     }
 
-    offset += length;
+    /* check for overflow */
+    if (offset + length > (guint32)offset) {
+      offset += length;
+    }
 
     proto_tree_add_item(attr_tree, hf_tnef_attribute_checksum, tvb, offset, 2, ENC_LITTLE_ENDIAN);
     offset += 2;
author	Evan Huus <eapache@gmail.com>	2015-03-01 18:33:10 -0500
committer	Evan Huus <eapache@gmail.com>	2015-03-02 14:11:34 +0000
commit	608cf324b3962877e9699f3e81e8f82ac9f1ea14 (patch)
tree	1648cf7747c900353ff01a58b817141eda7fcf85 /epan/dissectors/packet-tnef.c
parent	724c2ed4c8a76ea2ebfb9ef846fcdf092ff35d6a (diff)