From 5d8b3d565986cd3925e615b5c09bfbd7b9f9fe61 Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Wed, 20 Jun 2001 05:18:36 +0000 Subject: [PATCH] Catch TLVs with bogus lengths (i.e., less than the fixed-length header size); otherwise, we run the risk of looping forever. svn path=/trunk/; revision=3581 --- packet-cdp.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/packet-cdp.c b/packet-cdp.c index cb96c4e75b..1ea1862c57 100644 --- a/packet-cdp.c +++ b/packet-cdp.c @@ -2,7 +2,7 @@ * Routines for the disassembly of the "Cisco Discovery Protocol" * (c) Copyright Hannes R. Boehm * - * $Id: packet-cdp.c,v 1.37 2001/06/18 02:17:45 guy Exp $ + * $Id: packet-cdp.c,v 1.38 2001/06/20 05:18:36 guy Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs @@ -134,6 +134,18 @@ dissect_cdp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) while (tvb_reported_length_remaining(tvb, offset) != 0) { type = tvb_get_ntohs(tvb, offset + TLV_TYPE); length = tvb_get_ntohs(tvb, offset + TLV_LENGTH); + if (length < 4) { + tlvi = proto_tree_add_text(cdp_tree, tvb, offset, 4, + "TLV with invalid length %u (< 4)", + length); + tlv_tree = proto_item_add_subtree(tlvi, ett_cdp_tlv); + proto_tree_add_uint(tlv_tree, hf_cdp_tlvtype, tvb, + offset + TLV_TYPE, 2, type); + proto_tree_add_uint(tlv_tree, hf_cdp_tlvlength, tvb, + offset + TLV_LENGTH, 2, length); + offset += 4; + break; + } switch (type) {