From 280f2feeaf95fcf50f028162b49be1bf6866c918 Mon Sep 17 00:00:00 2001 From: Pascal Quantin Date: Wed, 5 Apr 2017 22:58:18 +0200 Subject: RPC-over-RDMA: protect against a variable overflow Bug: 13558 Change-Id: I0cb379df1a6c40a3c4a84f18c631d9239550c3ab Reviewed-on: https://code.wireshark.org/review/20941 Reviewed-by: Pascal Quantin Petri-Dish: Pascal Quantin Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman --- epan/dissectors/packet-rpcrdma.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'epan/dissectors/packet-rpcrdma.c') diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c index 4ea92abe19..ddcdc62176 100644 --- a/epan/dissectors/packet-rpcrdma.c +++ b/epan/dissectors/packet-rpcrdma.c @@ -168,7 +168,7 @@ static guint get_write_chunk_size(tvbuff_t *tvb, guint offset) static guint get_write_list_size(tvbuff_t *tvb, guint max_offset, guint offset) { guint32 value_follows; - guint start = offset; + guint chunk_size, start = offset; while (1) { value_follows = tvb_get_ntohl(tvb, offset); @@ -178,9 +178,11 @@ static guint get_write_list_size(tvbuff_t *tvb, guint max_offset, guint offset) if (!value_follows) break; - offset += get_write_chunk_size(tvb, offset); - if (offset > max_offset) + chunk_size = get_write_chunk_size(tvb, offset); + if ((offset + chunk_size) < offset || + (offset + chunk_size) > max_offset) return 0; + offset += chunk_size; } return offset - start; @@ -189,7 +191,7 @@ static guint get_write_list_size(tvbuff_t *tvb, guint max_offset, guint offset) static guint get_write_list_chunk_count(tvbuff_t *tvb, guint offset) { guint32 value_follows; - guint num_chunks; + guint num_chunks, chunk_size; num_chunks = 0; while (1) { @@ -199,7 +201,9 @@ static guint get_write_list_chunk_count(tvbuff_t *tvb, guint offset) break; num_chunks++; - offset += get_write_chunk_size(tvb, offset); + chunk_size = get_write_chunk_size(tvb, offset); + if ((offset + chunk_size) < offset) + break; } return num_chunks; -- cgit v1.2.3