Clamp the reported length of a packet at G_MAXINT for now, to avoid

crashes due to having no tvbuffs for an epan_dissect_t.

Fixes bug 6663 and its soon-to-be-duplicates.

svn path=/trunk/; revision=40164

1 files changed, 25 insertions, 1 deletions

diff --git a/epan/packet.c b/epan/packet.c
index 26656de050..efd811a322 100644
--- a/epan/packet.c
+++ b/epan/packet.c
@@ -305,7 +305,31 @@ dissect_packet(epan_dissect_t *edt, union wtap_pseudo_header *pseudo_header,
 	EP_CHECK_CANARY(("before dissecting frame %d",fd->num));
 
 	TRY {
-		edt->tvb = tvb_new_real_data(pd, fd->cap_len, fd->pkt_len);
+		/*
+		 * XXX - currently, the length arguments to
+		 * tvb_new_real_data() are signed, but the captured
+		 * and reported length values are unsigned; this means
+		 * that length values > 2^31 - 1 will appear as
+		 * negative lengths in tvb_new_real_data().
+		 *
+		 * Captured length values that large will already
+		 * have been filtered out by the Wiretap modules
+		 * (the file will be reported as corrupted), to
+		 * avoid trying to allocate large chunks of data.
+		 *
+		 * Reported length values will not have been
+		 * filtered out, and should not be filtered out,
+		 * as those lengths are not necessarily invalid.
+		 *
+		 * For now, we clip the reported length at G_MAXINT,
+		 * so that tvb_new_real_data() doesn't fail.  It
+		 * would throw an exception, which we'd catch, but
+		 * that would mean we would have no tvbuffs
+		 * associated with edt, which would upset much of
+		 * the rest of the application.
+		 */
+		edt->tvb = tvb_new_real_data(pd, fd->cap_len,
+		    fd->pkt_len > G_MAXINT ? G_MAXINT : fd->pkt_len);
 		/* Add this tvbuffer into the data_src list */
 		add_new_data_source(&edt->pi, edt->tvb, "Frame");