diff options
author | gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> | 2009-07-16 22:25:06 +0000 |
---|---|---|
committer | gerald <gerald@f5534014-38df-0310-8fa8-9805f1628bb7> | 2009-07-16 22:25:06 +0000 |
commit | 1816b2c3e4de68b62c28e308005c32fe38dcda7a (patch) | |
tree | a0c95a488ee915df29f73d44c603dec1c422a382 /epan/reassemble.c | |
parent | 6fbfcb37ab6f302fb5d5a952120d2d97af824f91 (diff) |
Check for an overflow. This should hopefully fix bug 3672.
git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@29128 f5534014-38df-0310-8fa8-9805f1628bb7
Diffstat (limited to 'epan/reassemble.c')
-rw-r--r-- | epan/reassemble.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/epan/reassemble.c b/epan/reassemble.c index 7b75c21076..267925c132 100644 --- a/epan/reassemble.c +++ b/epan/reassemble.c @@ -710,10 +710,11 @@ fragment_add_work(fragment_data *fd_head, tvbuff_t *tvb, int offset, * check it. Someone might play overlap and TTL games. */ if (fd_head->flags & FD_DEFRAGMENTED) { + guint32 end_offset = fd->offset + fd->len; fd->flags |= FD_OVERLAP; fd_head->flags |= FD_OVERLAP; /* make sure it's not too long */ - if (fd->offset + fd->len > fd_head->datalen) { + if (end_offset > fd_head->datalen || end_offset < fd->offset || end_offset < fd->len) { fd->flags |= FD_TOOLONGFRAGMENT; fd_head->flags |= FD_TOOLONGFRAGMENT; } |