diff options
author | Gerald Combs <gerald@wireshark.org> | 2011-05-11 22:36:59 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2011-05-11 22:36:59 +0000 |
commit | 995d748f0561867b02682d2468fb7ae935866de3 (patch) | |
tree | da4ac9611b40256bc04dc2c0879d31acf5af48a2 /wiretap/snoop.c | |
parent | d264cd565898f2fcaf17aea30eb529ddff9db097 (diff) |
Check our original record length. Fixes a crash bug found by Huzaifa
Sidhpurwala of the Red Hat Security Response Team.
svn path=/trunk/; revision=37068
Diffstat (limited to 'wiretap/snoop.c')
-rw-r--r-- | wiretap/snoop.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/wiretap/snoop.c b/wiretap/snoop.c index 89cc8a5f8a..552cdbe37e 100644 --- a/wiretap/snoop.c +++ b/wiretap/snoop.c @@ -473,6 +473,16 @@ static gboolean snoop_read(wtap *wth, int *err, gchar **err_info, rec_size = g_ntohl(hdr.rec_len); orig_size = g_ntohl(hdr.orig_len); packet_size = g_ntohl(hdr.incl_len); + if (orig_size > WTAP_MAX_PACKET_SIZE) { + /* + * Probably a corrupt capture file; don't blow up trying + * to allocate space for an immensely-large packet. + */ + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup_printf("snoop: File has %u-byte original length, bigger than maximum of %u", + orig_size, WTAP_MAX_PACKET_SIZE); + return FALSE; + } if (packet_size > WTAP_MAX_PACKET_SIZE) { /* * Probably a corrupt capture file; don't blow up trying |