From 041e3e7c27c78308d0d515171f52a39f8260782b Mon Sep 17 00:00:00 2001
From: Pascal Quantin <pascal.quantin@gmail.com>
Date: Tue, 28 Nov 2017 22:08:18 +0100
Subject: [PATCH] CIP Safety: check packet length before dissecting

Otherwise we can call CRC functions with a negative value, leading to
a segmentation fault.

Bug: 14250
Change-Id: I394fa91a5cfa1700fb12441d4884c0367b39df8b
Reviewed-on: https://code.wireshark.org/review/24621
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 epan/dissectors/packet-cipsafety.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/epan/dissectors/packet-cipsafety.c b/epan/dissectors/packet-cipsafety.c
index 233e6b5161..6156decb7d 100644
--- a/epan/dissectors/packet-cipsafety.c
+++ b/epan/dissectors/packet-cipsafety.c
@@ -1511,6 +1511,11 @@ dissect_cip_safety_data( proto_tree *tree, proto_item *item, tvbuff_t *tvb, int
    /* compute the base packet length to determine what is actual I/O data */
    base_length = multicast ? 12 : 6;
 
+   if (item_length <= base_length) {
+      expert_add_info(pinfo, item, &ei_mal_io);
+      return;
+   }
+
    if (((conn_type == ECIDT_O2T) && (server_dir == FALSE)) ||
        ((conn_type == ECIDT_T2O) && (server_dir == TRUE)))
    {