Check for an overflow. This should hopefully fix bug 3672.

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@29128 f5534014-38df-0310-8fa8-9805f1628bb7
author: gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> 2009-07-16 22:25:06 +0000
committer: gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> 2009-07-16 22:25:06 +0000
commit: 1816b2c3e4de68b62c28e308005c32fe38dcda7a (patch)
tree: a0c95a488ee915df29f73d44c603dec1c422a382 /epan/reassemble.c
parent: 6fbfcb37ab6f302fb5d5a952120d2d97af824f91 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/epan/reassemble.c b/epan/reassemble.c
index 7b75c21076..267925c132 100644
--- a/epan/reassemble.c
+++ b/epan/reassemble.c
@@ -710,10 +710,11 @@ fragment_add_work(fragment_data *fd_head, tvbuff_t *tvb, int offset,
 	 * check it. Someone might play overlap and TTL games.
 	 */
 	if (fd_head->flags & FD_DEFRAGMENTED) {
+		guint32 end_offset = fd->offset + fd->len;
 		fd->flags      |= FD_OVERLAP;
 		fd_head->flags |= FD_OVERLAP;
 		/* make sure it's not too long */
-		if (fd->offset + fd->len > fd_head->datalen) {
+		if (end_offset > fd_head->datalen || end_offset < fd->offset || end_offset < fd->len) {
 			fd->flags      |= FD_TOOLONGFRAGMENT;
 			fd_head->flags |= FD_TOOLONGFRAGMENT;
 		}
author	gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7>	2009-07-16 22:25:06 +0000
committer	gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7>	2009-07-16 22:25:06 +0000
commit	1816b2c3e4de68b62c28e308005c32fe38dcda7a (patch)
tree	a0c95a488ee915df29f73d44c603dec1c422a382 /epan/reassemble.c
parent	6fbfcb37ab6f302fb5d5a952120d2d97af824f91 (diff)