From e78093f69f1e95df919bbe644baa06c7e4e720c0 Mon Sep 17 00:00:00 2001
From: Michael Mann <mmann78@netscape.net>
Date: Wed, 2 Dec 2015 19:33:40 -0500
Subject: TDS: Sanity check number of columns to prevent crash.

Bug: 11846
Change-Id: I6eac46dc397263fe005e803730c5d3084bfb7f74
Reviewed-on: https://code.wireshark.org/review/12391
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 epan/dissectors/packet-tds.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'epan/dissectors/packet-tds.c')

diff --git a/epan/dissectors/packet-tds.c b/epan/dissectors/packet-tds.c
index 4872bbce96..3c25cc9eb2 100644
--- a/epan/dissectors/packet-tds.c
+++ b/epan/dissectors/packet-tds.c
@@ -2922,6 +2922,10 @@ dissect_tds7_colmetadata_token(tvbuff_t *tvb, struct _netlib_data *nl_data, guin
     num_columns = tvb_get_letohs(tvb, cur);
     nl_data->num_cols = num_columns;
     proto_tree_add_item(tree, hf_tds_colmetadata_columns, tvb, cur, 2, ENC_LITTLE_ENDIAN);
+    if (nl_data->num_cols > TDS_MAX_COLUMNS) {
+        nl_data->num_cols = 0;
+        return 0;
+    }
     cur +=2;
 
     for(i=0; i != num_columns; i++) {
-- 
cgit v1.2.3