forked from osmocom/wireshark
CIP Safety: check packet length before dissecting
Otherwise we can call CRC functions with a negative value, leading to a segmentation fault. Bug: 14250 Change-Id: I394fa91a5cfa1700fb12441d4884c0367b39df8b Reviewed-on: https://code.wireshark.org/review/24621 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
parent
e29378b030
commit
041e3e7c27
|
@ -1511,6 +1511,11 @@ dissect_cip_safety_data( proto_tree *tree, proto_item *item, tvbuff_t *tvb, int
|
|||
/* compute the base packet length to determine what is actual I/O data */
|
||||
base_length = multicast ? 12 : 6;
|
||||
|
||||
if (item_length <= base_length) {
|
||||
expert_add_info(pinfo, item, &ei_mal_io);
|
||||
return;
|
||||
}
|
||||
|
||||
if (((conn_type == ECIDT_O2T) && (server_dir == FALSE)) ||
|
||||
((conn_type == ECIDT_T2O) && (server_dir == TRUE)))
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue