Keep an invalid packet length from overflowing a data buffer.

svn path=/trunk/; revision=5638

1 files changed, 9 insertions, 1 deletions

diff --git a/packet-wcp.c b/packet-wcp.c
index 650e836d55..5beeb1d1b5 100644
--- a/packet-wcp.c
+++ b/packet-wcp.c
@@ -2,7 +2,7 @@
  * Routines for Wellfleet Compression frame disassembly
  * Copyright 2001, Jeffrey C. Foster <jfoste@woodward.com>
  *
- * $Id: packet-wcp.c,v 1.24 2002/06/04 07:03:47 guy Exp $
+ * $Id: packet-wcp.c,v 1.25 2002/06/06 22:42:27 gerald Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@ethereal.com>
@@ -498,6 +498,14 @@ static tvbuff_t *wcp_uncompress( tvbuff_t *src_tvb, int offset, packet_info *pin
 	buf_end = buf_start + MAX_WIN_BUF_LEN;
 	tmp = buf_ptr->buf_cur;
 
+	if (cnt - offset > MAX_WCP_BUF_LEN) {
+		if (tree)
+			proto_tree_add_text( tree, src_tvb, offset, -1,
+				"Compressed data exceeds maximum buffer length (%d > %d)",
+				cnt - offset, MAX_WCP_BUF_LEN);
+		return NULL;
+	}
+
 	src = tvb_memcpy(src_tvb, src_buf, offset, cnt - offset);
 	dst = buf_ptr->buf_cur;