Bugfix for ethereal crashes

If the ByteCount field in the SMB PDU spanned beyond the end of the
packet because the packet was short or because the BC field was corrupted and contained
garbade data  then the tree item for the command (the subtree just after the SMBHeader subtree) would describe data continuing beyond the end of the
packet.

If we selected one such tree in the dissect pane and used Prepare/Match Selected  this would cause the filter build thing to try to access data beyod the end
of the packet and ethereal would dump core.

Change the END_OF_SMB macro so that it shrinks bc so that bc never describes
data beyond the end of the packet.

svn path=/trunk/; revision=8926

1 files changed, 12 insertions, 3 deletions

diff --git a/packet-smb.c b/packet-smb.c
index e8951230ae..7544927038 100644
--- a/packet-smb.c
+++ b/packet-smb.c
@@ -3,7 +3,7 @@
  * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
  * 2001  Rewrite by Ronnie Sahlberg and Guy Harris
  *
- * $Id: packet-smb.c,v 1.374 2003/10/24 00:36:06 guy Exp $
+ * $Id: packet-smb.c,v 1.375 2003/11/10 08:02:33 sahlberg Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@ethereal.com>
@@ -770,8 +770,17 @@ static int dissect_smb_command(tvbuff_t *tvb, packet_info *pinfo, int offset, pr
 
 #define END_OF_SMB	\
 	if (bc != 0) { \
-		proto_tree_add_text(tree, tvb, offset, bc, \
-		    "Extra byte parameters");		\
+		gint bc_remaining; \
+		bc_remaining=tvb_length_remaining(tvb, offset); \
+		if( ((gint)bc) > bc_remaining){ \
+			bc=0; \
+		} else { \
+			bc=(guint16)bc_remaining; \
+		} \
+		if(bc){ \
+			proto_tree_add_text(tree, tvb, offset, bc, \
+			    "Extra byte parameters");		\
+		} \
 		offset += bc;				\
 	}						\
 	endofcommand: