osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

Add more bounds checks. 

If the calculated packet length in the header is bigger than the actual
packet length value from the header, reject the packet.

Change-Id: I86cb24c66ee0d6fd2ed6f9240d44c1adc5f0bf91
Reviewed-on: https://code.wireshark.org/review/27087
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This commit is contained in:
Guy Harris 2018-04-22 20:31:26 -07:00
parent 4f492559c6
commit 83ecd46776
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
epan/dissectors/packet-bvlc.c
View File

@ -171,7 +171,7 @@ dissect_ipv4_bvlc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *dat
bvlc_length = packet_length;
}
if (bvlc_length < 4) {
if (bvlc_length < 4 || bvlc_length > packet_length) {
return 0; /* reject */
}
@ -377,6 +377,10 @@ dissect_ipv6_bvlc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *dat
break;
}
if (bvlc_length > packet_length) {
return 0; /* reject */
}
ti = proto_tree_add_item(tree, proto_bvlc, tvb, 0,
bvlc_length, ENC_NA);
bvlc_tree = proto_item_add_subtree(ti, ett_bvlc);