osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

RLC: fix a variable overflow in rlc_decode_li function 

Bug: 12660
Change-Id: I20a423eb9aa72383ac28d176bc60751ed36be9bd
Reviewed-on: https://code.wireshark.org/review/16639
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
This commit is contained in:
Pascal Quantin 2016-07-25 09:37:25 +02:00
parent 47a5fa850b
commit 6cf9616df6
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
epan/dissectors/packet-rlc.c
View File

@ -660,12 +660,12 @@ add_description(proto_item *li_ti, proto_item *length_ti,
/* add information for an LI to 'tree' */
static proto_tree *
tree_add_li(enum rlc_mode mode, struct rlc_li *li, guint8 li_idx, guint8 hdr_offs,
tree_add_li(enum rlc_mode mode, struct rlc_li *li, guint8 li_idx, guint32 hdr_offs,
gboolean li_is_on_2_bytes, tvbuff_t *tvb, proto_tree *tree)
{
proto_item *root_ti, *ti;
proto_tree *li_tree;
guint8 li_offs;
guint32 li_offs;
guint64 length;
if (!tree) return NULL;
@ -1697,7 +1697,8 @@ static gint16
rlc_decode_li(enum rlc_mode mode, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
struct rlc_li *li, guint8 max_li, gboolean li_on_2_bytes)
{
guint8 ext, hdr_len, offs = 0, num_li = 0, li_offs;
guint32 hdr_len, offs = 0, li_offs;
guint8 ext, num_li = 0;
guint16 next_bytes, prev_li = 0;
proto_item *malformed;
guint16 total_len;