From 6e66cae876e412286cf201e6cceff63b2b8cbfdd Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Mon, 7 Feb 2011 19:39:05 +0000
Subject: Check for a large packet_len. Fixes a bug reported by Huzaifa
 Sidhpurwala of the Red Hat Security Response Team.

See also: bug 5661.

svn path=/trunk/; revision=35855
---
 wiretap/pcapng.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'wiretap')

diff --git a/wiretap/pcapng.c b/wiretap/pcapng.c
index 0876470b1a..7870a797b1 100644
--- a/wiretap/pcapng.c
+++ b/wiretap/pcapng.c
@@ -817,6 +817,12 @@ pcapng_read_packet_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn, wta
 	              wblock->data.packet.packet_len,
 	              wblock->data.packet.cap_len,
 	              wblock->data.packet.interface_id);
+	if (wblock->data.packet.packet_len > WTAP_MAX_PACKET_SIZE) {
+		*err = WTAP_ERR_BAD_RECORD;
+		*err_info = g_strdup_printf("pcapng_read_packet_block: packet_len %u is larger than WTAP_MAX_PACKET_SIZE %u.",
+		    wblock->data.packet.packet_len, WTAP_MAX_PACKET_SIZE);
+		return 0;
+	}
 
 	wtap_encap = pcapng_get_encap(wblock->data.packet.interface_id, pn);
 	pcapng_debug3("pcapng_read_packet_block: encapsulation = %d (%s), pseudo header size = %d.",
@@ -979,6 +985,12 @@ pcapng_read_simple_packet_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *
 	}
 	pcapng_debug1("pcapng_read_simple_packet_block: packet data: packet_len %u",
 	               wblock->data.simple_packet.packet_len);
+	if (wblock->data.simple_packet.packet_len > WTAP_MAX_PACKET_SIZE) {
+		*err = WTAP_ERR_BAD_RECORD;
+		*err_info = g_strdup_printf("pcapng_read_simple_packet_block: packet_len %u is larger than WTAP_MAX_PACKET_SIZE %u.",
+		    wblock->data.simple_packet.packet_len, WTAP_MAX_PACKET_SIZE);
+		return 0;
+	}
 
 	encap = pcapng_get_encap(0, pn);
 	pcapng_debug1("pcapng_read_simple_packet_block: Need to read pseudo header of size %d",
-- 
cgit v1.2.3