diff options
author | Anders Broman <anders.broman@ericsson.com> | 2011-11-10 06:07:16 +0000 |
---|---|---|
committer | Anders Broman <anders.broman@ericsson.com> | 2011-11-10 06:07:16 +0000 |
commit | 4c379bc979f61169e5cc6997a6b00372d3378785 (patch) | |
tree | b40b739960c6de1915c3e68f5c742c65c939f684 /epan/dissectors | |
parent | b529b73943cc21dab3bcf75eb5e1437a5660966d (diff) |
From Dirk:
CAPWAP dissector tries to allocate -1 bytes of memory during reassembly.
- changed to return offset.
svn path=/trunk/; revision=39779
Diffstat (limited to 'epan/dissectors')
-rw-r--r-- | epan/dissectors/packet-capwap.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/epan/dissectors/packet-capwap.c b/epan/dissectors/packet-capwap.c index a56075c07c..2f2f908d8e 100644 --- a/epan/dissectors/packet-capwap.c +++ b/epan/dissectors/packet-capwap.c @@ -1374,13 +1374,17 @@ dissect_capwap_control(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) if (global_capwap_reassemble && fragment_is) { + const int len_rem = tvb_length_remaining(tvb, offset); + if (len_rem <= 0) + return offset; + pinfo->fragmented = TRUE; frag_msg = fragment_add_check(tvb, offset, pinfo,fragment_id, capwap_fragment_table, capwap_reassembled_table, fragment_offset, - tvb_length_remaining(tvb, offset), + len_rem, fragment_more); next_tvb = process_reassembled_data(tvb, offset, pinfo, |