From a0ad7be1d14c16dfcfb6514cfe60047eb0f6a5fe Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Sun, 28 Nov 2004 04:21:30 +0000
Subject: The recent length check added to proto_tree_add_string() revealed a
 couple of problems when reading the PROTOS SNMP captures.  Check for integer
 overflows in dissect_snmp_pdu and asn1_null_decode.

svn path=/trunk/; revision=12609
---
 asn1.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'asn1.c')

diff --git a/asn1.c b/asn1.c
index ce734b7ef0..8edd59bcb8 100644
--- a/asn1.c
+++ b/asn1.c
@@ -418,7 +418,17 @@ asn1_eoc_decode (ASN1_SCK *asn1, int eoc)
 int
 asn1_null_decode ( ASN1_SCK *asn1, int enc_len)
 {
+    int start_off = asn1->offset;
+
     asn1->offset += enc_len;
+    /*
+     * Check for integer overflows.  
+     * XXX - ASN1_ERR_LENGTH_MISMATCH seemed like the most appropriate
+     *       error from the ones available.  Should we make a new one?
+     */
+    if (asn1->offset < 0 || asn1->offset < start_off)
+        return ASN1_ERR_LENGTH_MISMATCH;
+
     return ASN1_ERR_NOERROR;
 }
 
-- 
cgit v1.2.3