diff options
author | Gerald Combs <gerald@wireshark.org> | 2005-07-05 20:04:03 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2005-07-05 20:04:03 +0000 |
commit | 276f179b0b86355018fe78018f158c20861b0a8b (patch) | |
tree | dba6918d98b5463f07d3f2c8b5ca072035b1d0ce /epan/reassemble.c | |
parent | f1cf50370948568f267ccd7167bbd0bc1cf31bd1 (diff) |
Don't crash if we're handed a zero-length fragment. Fixes bug 272. Although
we don't crash now, we still don't handle zero-length fragments correctly.
svn path=/trunk/; revision=14858
Diffstat (limited to 'epan/reassemble.c')
-rw-r--r-- | epan/reassemble.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/epan/reassemble.c b/epan/reassemble.c index 7bcccb8127..69c45b55a4 100644 --- a/epan/reassemble.c +++ b/epan/reassemble.c @@ -1177,8 +1177,9 @@ fragment_add_seq_work(fragment_data *fd_head, tvbuff_t *tvb, int offset, fd_head->len = size; /* record size for caller */ /* add all data fragments */ + dfpos = 0; last_fd=NULL; - for (dfpos=0,fd_i=fd_head->next;fd_i;fd_i=fd_i->next) { + for (fd_i=fd_head->next;fd_i && fd_i->len + dfpos <= size;fd_i=fd_i->next) { if (fd_i->len) { if(!last_fd || last_fd->offset!=fd_i->offset){ memcpy(fd_head->data+dfpos,fd_i->data,fd_i->len); @@ -1193,8 +1194,8 @@ fragment_add_seq_work(fragment_data *fd_head, tvbuff_t *tvb, int offset, fd_head->flags |= FD_OVERLAPCONFLICT; } } - last_fd=fd_i; } + last_fd=fd_i; } /* we have defragmented the pdu, now free all fragments*/ |