diff options
author | Gerald Combs <gerald@wireshark.org> | 2018-02-20 12:32:22 -0800 |
---|---|---|
committer | Michael Mann <mmann78@netscape.net> | 2018-02-21 01:07:26 +0000 |
commit | 65aa59d28ab5f41a06dbfcf25b191f2b3547b78e (patch) | |
tree | 202d4156949d1f8a7c2b95b1c0afae12fefba139 /epan | |
parent | 2b74b5c4c8836f413c675d8f7f80c8356b6b1722 (diff) |
RPCoRDMA: Set an upper bound for our chunk size.
Make sure our write chunk size doesn't exceed our tvbuff. Adjust a few
length checks.
Bug: 14449
Change-Id: If9dd8a6094830c5b47adfff0acb3ff726168e801
Reviewed-on: https://code.wireshark.org/review/25943
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-rpcrdma.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c index 8b52bf2c0a..bed6754942 100644 --- a/epan/dissectors/packet-rpcrdma.c +++ b/epan/dissectors/packet-rpcrdma.c @@ -148,8 +148,13 @@ static guint get_read_list_chunk_count(tvbuff_t *tvb, guint offset) static guint get_write_chunk_size(tvbuff_t *tvb, guint offset) { guint segment_count; + guint max_count = (guint)tvb_reported_length_remaining(tvb, offset + 4) / 16; segment_count = tvb_get_ntohl(tvb, offset); + if (segment_count > max_count) { + /* XXX We should throw an exception here. */ + segment_count = max_count; + } return 4 + (segment_count * 16); } @@ -167,8 +172,8 @@ static guint get_write_list_size(tvbuff_t *tvb, guint max_offset, guint offset) break; chunk_size = get_write_chunk_size(tvb, offset); - if ((offset + chunk_size) < offset || - (offset + chunk_size) > max_offset) + if ((offset > max_offset) || + (max_offset - offset < chunk_size)) return 0; offset += chunk_size; } @@ -190,7 +195,7 @@ static guint get_write_list_chunk_count(tvbuff_t *tvb, guint offset) num_chunks++; chunk_size = get_write_chunk_size(tvb, offset); - if ((offset + chunk_size) < offset) + if (chunk_size == 0) break; offset += chunk_size; } |