diff options
author | Gerald Combs <gerald@wireshark.org> | 2018-01-09 11:31:40 -0800 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2018-01-09 21:23:35 +0000 |
commit | a7e29d8b66dd7c1cb691966938404dafc6b89689 (patch) | |
tree | 20627dce251e33a4a04230b82828ee9afa00117a /epan/dissectors/packet-wcp.c | |
parent | 369cdcc5533e46cb28437557d6827ba0172710c3 (diff) |
WCP: Add a length check.
Add a bounds check for the current window. Blind attempt at fixing bug
14251.
Bug: 14251
Change-Id: Ia3775bcabb2dc633b6994547125e53a4fe23451e
Reviewed-on: https://code.wireshark.org/review/25230
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/dissectors/packet-wcp.c')
-rw-r--r-- | epan/dissectors/packet-wcp.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/epan/dissectors/packet-wcp.c b/epan/dissectors/packet-wcp.c index 9094c48900..6241276305 100644 --- a/epan/dissectors/packet-wcp.c +++ b/epan/dissectors/packet-wcp.c @@ -644,10 +644,16 @@ static tvbuff_t *wcp_uncompress( tvbuff_t *src_tvb, int offset, packet_info *pin } len = pdata_ptr->len; } else { + if (buf_ptr->buf_cur + len > buf_end) { + expert_add_info_format(pinfo, cd_item, &ei_wcp_invalid_window_offset, + "Uncompressed data exceeds available buffer length (%d > %d)", + len, (int) (buf_end - buf_ptr->buf_cur)); + return NULL; + } - /* save the new data as per packet data */ + /* save the new data as per packet data */ pdata_ptr = wmem_new(wmem_file_scope(), wcp_pdata_t); - memcpy( &pdata_ptr->buffer, buf_ptr->buf_cur, len); + memcpy( &pdata_ptr->buffer, buf_ptr->buf_cur, len); pdata_ptr->len = len; p_add_proto_data(wmem_file_scope(), pinfo, proto_wcp, 0, (void*)pdata_ptr); |