Don't crash if we're handed a zero-length fragment. Fixes bug 272. Although

we don't crash now, we still don't handle zero-length fragments correctly.

svn path=/trunk/; revision=14858

1 files changed, 3 insertions, 2 deletions

diff --git a/epan/reassemble.c b/epan/reassemble.c
index 7bcccb8127..69c45b55a4 100644
--- a/epan/reassemble.c
+++ b/epan/reassemble.c
@@ -1177,8 +1177,9 @@ fragment_add_seq_work(fragment_data *fd_head, tvbuff_t *tvb, int offset,
 	fd_head->len = size;		/* record size for caller	*/
 
 	/* add all data fragments */
+	dfpos = 0;
 	last_fd=NULL;
-	for (dfpos=0,fd_i=fd_head->next;fd_i;fd_i=fd_i->next) {
+	for (fd_i=fd_head->next;fd_i && fd_i->len + dfpos <= size;fd_i=fd_i->next) {
 	  if (fd_i->len) {
 	    if(!last_fd || last_fd->offset!=fd_i->offset){
 	      memcpy(fd_head->data+dfpos,fd_i->data,fd_i->len);
@@ -1193,8 +1194,8 @@ fragment_add_seq_work(fragment_data *fd_head, tvbuff_t *tvb, int offset,
 			fd_head->flags |= FD_OVERLAPCONFLICT;
 	      }
 	    }
-	    last_fd=fd_i;
 	  }
+	  last_fd=fd_i;
 	}
 
 	/* we have defragmented the pdu, now free all fragments*/