diff options
author | Gerald Combs <gerald@wireshark.org> | 2015-01-26 11:38:33 -0800 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2015-01-26 20:40:01 +0000 |
commit | a835c85e3d662343d7283f1dcdacb8a11d1d0727 (patch) | |
tree | 116a0a974b2732d23f291dcc3366f867b287fa20 /wiretap | |
parent | 5845f290eecbabb8138eaf53dd33689d8ddf8b7a (diff) |
Pcapng: Don't fetch past the end of a GArray.
Due to an off-by-one error an invalid ISB interface ID could make us
fetch past the end of a GArray. Found using American Fuzzy Lop.
Bug: 10895
Change-Id: I7d4049ad7a386ae7e8013b8e741d54a31f353f1f
Reviewed-on: https://code.wireshark.org/review/6798
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Diffstat (limited to 'wiretap')
-rw-r--r-- | wiretap/pcapng.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/wiretap/pcapng.c b/wiretap/pcapng.c index 645668bec2..fe2b980bb6 100644 --- a/wiretap/pcapng.c +++ b/wiretap/pcapng.c @@ -2470,8 +2470,8 @@ pcapng_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset) case(BLOCK_TYPE_ISB): /* Another interface statistics report */ pcapng_debug0("pcapng_read: block type BLOCK_TYPE_ISB"); - if (wth->interface_data->len < wblock.data.if_stats.interface_id) { - pcapng_debug1("pcapng_read: BLOCK_TYPE_ISB wblock.if_stats.interface_id %u > number_of_interfaces", wblock.data.if_stats.interface_id); + if (wth->interface_data->len <= wblock.data.if_stats.interface_id) { + pcapng_debug1("pcapng_read: BLOCK_TYPE_ISB wblock.if_stats.interface_id %u >= number_of_interfaces", wblock.data.if_stats.interface_id); } else { /* Get the interface description */ wtapng_if_descr = &g_array_index(wth->interface_data, wtapng_if_descr_t, wblock.data.if_stats.interface_id); @@ -2509,7 +2509,7 @@ pcapng_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset) got_packet: /*pcapng_debug2("Read length: %u Packet length: %u", bytes_read, wth->phdr.caplen);*/ - pcapng_debug1("pcapng_read: data_offset is finally %" G_GINT64_MODIFIER "d", *data_offset + bytes_read); + pcapng_debug1("pcapng_read: data_offset is finally %" G_GINT64_MODIFIER "d", *data_offset); return TRUE; } |