diff options
| -rw-r--r-- | wiretap/airopeek9.c | 15 | ||||
| -rw-r--r-- | wiretap/nettl.c | 11 | ||||
| -rw-r--r-- | wiretap/packetlogger.c | 10 |
3 files changed, 35 insertions, 1 deletions
diff --git a/wiretap/airopeek9.c b/wiretap/airopeek9.c index 63130845ed..b959cbaf02 100644 --- a/wiretap/airopeek9.c +++ b/wiretap/airopeek9.c @@ -500,10 +500,23 @@ static gboolean airopeekv9_read(wtap *wth, int *err, gchar **err_info, return FALSE; wth->data_offset += hdrlen; - /* force sliceLength to be the actual length of the packet */ + /* + * If sliceLength is 0, force it to be the actual length of the packet. + */ if (hdr_info.sliceLength == 0) hdr_info.sliceLength = hdr_info.length; + if (hdr_info.sliceLength > WTAP_MAX_PACKET_SIZE) { + /* + * Probably a corrupt capture file; don't blow up trying + * to allocate space for an immensely-large packet. + */ + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup_printf("airopeek9: File has %u-byte packet, bigger than maximum of %u", + hdr_info.sliceLength, WTAP_MAX_PACKET_SIZE); + return FALSE; + } + /* fill in packet header length values before slicelength may be adjusted */ wth->phdr.len = hdr_info.length; diff --git a/wiretap/nettl.c b/wiretap/nettl.c index fe6217915e..e265b45da9 100644 --- a/wiretap/nettl.c +++ b/wiretap/nettl.c @@ -318,6 +318,17 @@ static gboolean nettl_read(wtap *wth, int *err, gchar **err_info, } wth->data_offset += ret; + if (wth->phdr.caplen > WTAP_MAX_PACKET_SIZE) { + /* + * Probably a corrupt capture file; don't blow up trying + * to allocate space for an immensely-large packet. + */ + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup_printf("nettl: File has %u-byte packet, bigger than maximum of %u", + wth->phdr.caplen, WTAP_MAX_PACKET_SIZE); + return FALSE; + } + /* * If the per-file encapsulation isn't known, set it to this * packet's encapsulation. diff --git a/wiretap/packetlogger.c b/wiretap/packetlogger.c index 79e67cfaf1..afe918f9a9 100644 --- a/wiretap/packetlogger.c +++ b/wiretap/packetlogger.c @@ -106,6 +106,16 @@ packetlogger_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset) *err_info = g_strdup_printf("packetlogger: record length %u is too small", pl_hdr.len); return FALSE; } + if (pl_hdr.len - 8 > WTAP_MAX_PACKET_SIZE) { + /* + * Probably a corrupt capture file; don't blow up trying + * to allocate space for an immensely-large packet. + */ + *err = WTAP_ERR_BAD_RECORD; + *err_info = g_strdup_printf("packetlogger: File has %u-byte packet, bigger than maximum of %u", + pl_hdr.len - 8, WTAP_MAX_PACKET_SIZE); + return FALSE; + } buffer_assure_space(wth->frame_buffer, pl_hdr.len - 8); bytes_read = file_read(buffer_start_ptr(wth->frame_buffer), |