diff options
author | Evan Huus <eapache@gmail.com> | 2013-10-15 13:05:31 +0000 |
---|---|---|
committer | Evan Huus <eapache@gmail.com> | 2013-10-15 13:05:31 +0000 |
commit | 586dea0e0473483f34b3fd2c0a30c6a4c77b33bc (patch) | |
tree | 218b97131896ca7883ce1a0c9be3ac800851403c /epan | |
parent | a6d8e1888c74c9e88957c1e663caec2bab16551e (diff) |
Check the length *before* accessing the array, and cap the
length-retrieved-from-packet at the size of the array we have.
Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9270
svn path=/trunk/; revision=52616
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-gsm_cbch.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/epan/dissectors/packet-gsm_cbch.c b/epan/dissectors/packet-gsm_cbch.c index 0af0228d82..28959a9389 100644 --- a/epan/dissectors/packet-gsm_cbch.c +++ b/epan/dissectors/packet-gsm_cbch.c @@ -260,7 +260,13 @@ dissect_schedule_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree sched_subtree = proto_item_add_subtree(item, ett_schedule_new_msg); for (k=0; offset < len; j++) { - while ((other_slots[k]!=0xFFFF) && (k<sched_end)) + /* XXX I don't know if a message can validly contain more than + * 48 slots, but that's the size of the array we create so cap + * it there to avoid uninitialized memory errors (see bug + * https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9270) */ + if (sched_end > 48) + sched_end = 48; + while ((k<sched_end) && (other_slots[k]!=0xFFFF)) { k++; } |