forked from osmocom/wireshark
RPC-over-RDMA: protect against a variable overflow
Bug: 13558 Change-Id: I0cb379df1a6c40a3c4a84f18c631d9239550c3ab Reviewed-on: https://code.wireshark.org/review/20941 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
parent
0bd1190393
commit
280f2feeaf
|
@ -168,7 +168,7 @@ static guint get_write_chunk_size(tvbuff_t *tvb, guint offset)
|
|||
static guint get_write_list_size(tvbuff_t *tvb, guint max_offset, guint offset)
|
||||
{
|
||||
guint32 value_follows;
|
||||
guint start = offset;
|
||||
guint chunk_size, start = offset;
|
||||
|
||||
while (1) {
|
||||
value_follows = tvb_get_ntohl(tvb, offset);
|
||||
|
@ -178,9 +178,11 @@ static guint get_write_list_size(tvbuff_t *tvb, guint max_offset, guint offset)
|
|||
if (!value_follows)
|
||||
break;
|
||||
|
||||
offset += get_write_chunk_size(tvb, offset);
|
||||
if (offset > max_offset)
|
||||
chunk_size = get_write_chunk_size(tvb, offset);
|
||||
if ((offset + chunk_size) < offset ||
|
||||
(offset + chunk_size) > max_offset)
|
||||
return 0;
|
||||
offset += chunk_size;
|
||||
}
|
||||
|
||||
return offset - start;
|
||||
|
@ -189,7 +191,7 @@ static guint get_write_list_size(tvbuff_t *tvb, guint max_offset, guint offset)
|
|||
static guint get_write_list_chunk_count(tvbuff_t *tvb, guint offset)
|
||||
{
|
||||
guint32 value_follows;
|
||||
guint num_chunks;
|
||||
guint num_chunks, chunk_size;
|
||||
|
||||
num_chunks = 0;
|
||||
while (1) {
|
||||
|
@ -199,7 +201,9 @@ static guint get_write_list_chunk_count(tvbuff_t *tvb, guint offset)
|
|||
break;
|
||||
|
||||
num_chunks++;
|
||||
offset += get_write_chunk_size(tvb, offset);
|
||||
chunk_size = get_write_chunk_size(tvb, offset);
|
||||
if ((offset + chunk_size) < offset)
|
||||
break;
|
||||
}
|
||||
|
||||
return num_chunks;
|
||||
|
|
Loading…
Reference in New Issue