forked from osmocom/wireshark
Add more bounds checks.
If the calculated packet length in the header is bigger than the actual packet length value from the header, reject the packet. Change-Id: I86cb24c66ee0d6fd2ed6f9240d44c1adc5f0bf91 Reviewed-on: https://code.wireshark.org/review/27087 Reviewed-by: Guy Harris <guy@alum.mit.edu>
This commit is contained in:
parent
4f492559c6
commit
83ecd46776
|
@ -171,7 +171,7 @@ dissect_ipv4_bvlc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *dat
|
|||
bvlc_length = packet_length;
|
||||
}
|
||||
|
||||
if (bvlc_length < 4) {
|
||||
if (bvlc_length < 4 || bvlc_length > packet_length) {
|
||||
return 0; /* reject */
|
||||
}
|
||||
|
||||
|
@ -377,6 +377,10 @@ dissect_ipv6_bvlc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *dat
|
|||
break;
|
||||
}
|
||||
|
||||
if (bvlc_length > packet_length) {
|
||||
return 0; /* reject */
|
||||
}
|
||||
|
||||
ti = proto_tree_add_item(tree, proto_bvlc, tvb, 0,
|
||||
bvlc_length, ENC_NA);
|
||||
bvlc_tree = proto_item_add_subtree(ti, ett_bvlc);
|
||||
|
|
Loading…
Reference in New Issue