osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

CIP Safety: check packet length before dissecting 

Otherwise we can call CRC functions with a negative value, leading to
a segmentation fault.

Bug: 14250
Change-Id: I394fa91a5cfa1700fb12441d4884c0367b39df8b
Reviewed-on: https://code.wireshark.org/review/24621
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
Pascal Quantin 2017-11-28 22:08:18 +01:00 committed by Anders Broman
parent e29378b030
commit 041e3e7c27
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
epan/dissectors/packet-cipsafety.c
View File

@ -1511,6 +1511,11 @@ dissect_cip_safety_data( proto_tree *tree, proto_item *item, tvbuff_t *tvb, int
/* compute the base packet length to determine what is actual I/O data */
base_length = multicast ? 12 : 6;
if (item_length <= base_length) {
expert_add_info(pinfo, item, &ei_mal_io);
return;
}
if (((conn_type == ECIDT_O2T) && (server_dir == FALSE)) ||
((conn_type == ECIDT_T2O) && (server_dir == TRUE)))
{