Fix some of the brokenness in the PRP redundancy control trailer dissector.

IF YOU ARE DOING A HEURISTIC CHECK TO DETERMINE WHETHER THE PACKET
YOU'RE LOOKING AT IS ONE YOU SHOULD DISSECT, EVEN IN A DISSECTOR
THAT'S NOT REGISTERED AS A HEURISTIC DISSECTOR, DO NOT LOOK AT PACKET
BYTES UNLESS YOU HAVE ALREADY DETERMINED THAT THEY ARE AVAILABLE IN THE
CAPTURE.

THERE ARE NO EXCEPTIONS TO THIS RULE.

Bug: 9826
Change-Id: I2327a92ee760003bc10489263c0c53acdf2094e9
Reviewed-on: https://code.wireshark.org/review/16092
Reviewed-by: Guy Harris <guy@alum.mit.edu>

1 files changed, 14 insertions, 0 deletions

diff --git a/epan/dissectors/packet-prp.c b/epan/dissectors/packet-prp.c
index 4390f0a218..a804e06909 100644
--- a/epan/dissectors/packet-prp.c
+++ b/epan/dissectors/packet-prp.c
@@ -93,6 +93,13 @@ dissect_prp_redundancy_control_trailer(tvbuff_t *tvb, packet_info *pinfo _U_, pr
     if(length < 14)
         return 0;
 
+    /*
+     * This is horribly broken.  It assumes the frame is an Ethernet
+     * frame, with a type field at an offset of 12 bytes from the header.
+     * That is not guaranteed to be true.
+     */
+    if (!tvb_bytes_exist(tvb, 12, 2))
+        return 0;
     if(ETHERTYPE_VLAN == tvb_get_ntohs(tvb, 12)) /* tagged frame */
     {
         offset = 18;
@@ -105,6 +112,13 @@ dissect_prp_redundancy_control_trailer(tvbuff_t *tvb, packet_info *pinfo _U_, pr
     if (!tree)
         return tvb_captured_length(tvb);
 
+    /*
+     * Is there enough data in the packet to every try to search for a
+     * trailer?
+     */
+    if (!tvb_bytes_exist(tvb, (length-4)+2, 2))
+        return 0;  /* no */
+
     /* search for PRP-0 trailer */
     /* If the frame is >  64 bytes, the PRP-0 trailer is always at the end. */
     /* If the frame is <= 64 bytes, the PRP-0 trailer may be anywhere (before the padding) */