Catch TLVs with bogus lengths (i.e., less than the fixed-length header

size); otherwise, we run the risk of looping forever. svn path=/trunk/; revision=3581
2001-06-20 05:18:36 +00:00 · 2001-06-20 05:18:36 +00:00 · 5d8b3d5659
parent 8073087bdf
commit 5d8b3d5659
1 changed files with 13 additions and 1 deletions
--- a/packet-cdp.c
+++ b/packet-cdp.c
@ -2,7 +2,7 @@
 * Routines for the disassembly of the "Cisco Discovery Protocol"
 * (c) Copyright Hannes R. Boehm <hannes@boehm.org>
 *
- * $Id: packet-cdp.c,v 1.37 2001/06/18 02:17:45 guy Exp $
+ * $Id: packet-cdp.c,v 1.38 2001/06/20 05:18:36 guy Exp $
 *
 * Ethereal - Network traffic analyzer
 * By Gerald Combs <gerald@zing.org>
@ -134,6 +134,18 @@ dissect_cdp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 	while (tvb_reported_length_remaining(tvb, offset) != 0) {
 	    type = tvb_get_ntohs(tvb, offset + TLV_TYPE);
 	    length = tvb_get_ntohs(tvb, offset + TLV_LENGTH);
+	    if (length < 4) {
+		tlvi = proto_tree_add_text(cdp_tree, tvb, offset, 4,
+		    "TLV with invalid length %u (< 4)",
+		    length);
+		tlv_tree = proto_item_add_subtree(tlvi, ett_cdp_tlv);
+		proto_tree_add_uint(tlv_tree, hf_cdp_tlvtype, tvb,
+			    offset + TLV_TYPE, 2, type);
+		proto_tree_add_uint(tlv_tree, hf_cdp_tlvlength, tvb,
+			    offset + TLV_LENGTH, 2, length);
+		offset += 4;
+		break;
+	    }

 	    switch (type) {