diff options
author | Pascal Quantin <pascal.quantin@gmail.com> | 2017-04-05 22:58:18 +0200 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2017-04-06 04:51:33 +0000 |
commit | 280f2feeaf95fcf50f028162b49be1bf6866c918 (patch) | |
tree | 36cdf07fe18579906ff021737d4823d23b681f50 /epan/dissectors | |
parent | 0bd11903938e7fbcc876888178ed9c1f085fdffc (diff) |
RPC-over-RDMA: protect against a variable overflow
Bug: 13558
Change-Id: I0cb379df1a6c40a3c4a84f18c631d9239550c3ab
Reviewed-on: https://code.wireshark.org/review/20941
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/dissectors')
-rw-r--r-- | epan/dissectors/packet-rpcrdma.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c index 4ea92abe19..ddcdc62176 100644 --- a/epan/dissectors/packet-rpcrdma.c +++ b/epan/dissectors/packet-rpcrdma.c @@ -168,7 +168,7 @@ static guint get_write_chunk_size(tvbuff_t *tvb, guint offset) static guint get_write_list_size(tvbuff_t *tvb, guint max_offset, guint offset) { guint32 value_follows; - guint start = offset; + guint chunk_size, start = offset; while (1) { value_follows = tvb_get_ntohl(tvb, offset); @@ -178,9 +178,11 @@ static guint get_write_list_size(tvbuff_t *tvb, guint max_offset, guint offset) if (!value_follows) break; - offset += get_write_chunk_size(tvb, offset); - if (offset > max_offset) + chunk_size = get_write_chunk_size(tvb, offset); + if ((offset + chunk_size) < offset || + (offset + chunk_size) > max_offset) return 0; + offset += chunk_size; } return offset - start; @@ -189,7 +191,7 @@ static guint get_write_list_size(tvbuff_t *tvb, guint max_offset, guint offset) static guint get_write_list_chunk_count(tvbuff_t *tvb, guint offset) { guint32 value_follows; - guint num_chunks; + guint num_chunks, chunk_size; num_chunks = 0; while (1) { @@ -199,7 +201,9 @@ static guint get_write_list_chunk_count(tvbuff_t *tvb, guint offset) break; num_chunks++; - offset += get_write_chunk_size(tvb, offset); + chunk_size = get_write_chunk_size(tvb, offset); + if ((offset + chunk_size) < offset) + break; } return num_chunks; |