diff options
| author | Gerald Combs <gerald@wireshark.org> | 2011-02-07 19:39:05 +0000 |
|---|---|---|
| committer | Gerald Combs <gerald@wireshark.org> | 2011-02-07 19:39:05 +0000 |
| commit | 6e66cae876e412286cf201e6cceff63b2b8cbfdd (patch) | |
| tree | fcb18cafec8a52a1b4beaa30c43fd37efc43f638 /wiretap | |
| parent | e895aa9ddf29febf13feec546adfccd74139d13c (diff) | |
Check for a large packet_len. Fixes a bug reported by Huzaifa
Sidhpurwala of the Red Hat Security Response Team.
See also: bug 5661.
svn path=/trunk/; revision=35855
Diffstat (limited to 'wiretap')
| -rw-r--r-- | wiretap/pcapng.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/wiretap/pcapng.c b/wiretap/pcapng.c index 0876470b1a..7870a797b1 100644 --- a/wiretap/pcapng.c +++ b/wiretap/pcapng.c @@ -817,6 +817,12 @@ pcapng_read_packet_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn, wta wblock->data.packet.packet_len, wblock->data.packet.cap_len, wblock->data.packet.interface_id); + if (wblock->data.packet.packet_len > WTAP_MAX_PACKET_SIZE) { + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup_printf("pcapng_read_packet_block: packet_len %u is larger than WTAP_MAX_PACKET_SIZE %u.", + wblock->data.packet.packet_len, WTAP_MAX_PACKET_SIZE); + return 0; + } wtap_encap = pcapng_get_encap(wblock->data.packet.interface_id, pn); pcapng_debug3("pcapng_read_packet_block: encapsulation = %d (%s), pseudo header size = %d.", @@ -979,6 +985,12 @@ pcapng_read_simple_packet_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t * } pcapng_debug1("pcapng_read_simple_packet_block: packet data: packet_len %u", wblock->data.simple_packet.packet_len); + if (wblock->data.simple_packet.packet_len > WTAP_MAX_PACKET_SIZE) { + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup_printf("pcapng_read_simple_packet_block: packet_len %u is larger than WTAP_MAX_PACKET_SIZE %u.", + wblock->data.simple_packet.packet_len, WTAP_MAX_PACKET_SIZE); + return 0; + } encap = pcapng_get_encap(0, pn); pcapng_debug1("pcapng_read_simple_packet_block: Need to read pseudo header of size %d", |