osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

Make sure dissect_browser_TYPE_12_data() returns the right value. Catch 

integer overflows in that and other functions.  Fixes bug 236.

svn path=/trunk/; revision=14640
This commit is contained in:
Gerald Combs 2005-06-15 22:08:43 +00:00
parent c2b9534398
commit 979d807cf5
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
epan/dissectors/packet-dcerpc-browser.c
View File

@ -94,6 +94,7 @@ dissect_browser_TYPE_4_data(tvbuff_t *tvb, int offset,
{
guint32 len;
dcerpc_info *di;
int old_offset = offset;
di=pinfo->private_data;
if(di->conformant_run){
@ -108,6 +109,8 @@ dissect_browser_TYPE_4_data(tvbuff_t *tvb, int offset,
proto_tree_add_item(tree, hf_browser_unknown_bytes, tvb, offset, len,
FALSE);
offset += len;
if (offset < old_offset)
THROW(ReportedBoundsError);
return len;
}
@ -140,6 +143,7 @@ dissect_browser_TYPE_3_data(tvbuff_t *tvb, int offset,
{
guint32 len;
dcerpc_info *di;
int old_offset = offset;
di=pinfo->private_data;
if(di->conformant_run){
@ -155,6 +159,8 @@ dissect_browser_TYPE_3_data(tvbuff_t *tvb, int offset,
proto_tree_add_item(tree, hf_browser_unknown_bytes, tvb, offset, len,
FALSE);
offset += len;
if (offset < old_offset)
THROW(ReportedBoundsError);
return len;
}
@ -743,6 +749,7 @@ dissect_browser_TYPE_9_data(tvbuff_t *tvb, int offset,
{
guint32 len;
dcerpc_info *di;
int old_offset = offset;
di=pinfo->private_data;
if(di->conformant_run){
@ -759,6 +766,8 @@ dissect_browser_TYPE_9_data(tvbuff_t *tvb, int offset,
proto_tree_add_item(tree, hf_browser_unknown_bytes, tvb, offset, len,
FALSE);
offset += len;
if (offset < old_offset)
THROW(ReportedBoundsError);
return len;
}
@ -932,6 +941,7 @@ dissect_browser_TYPE_12_data(tvbuff_t *tvb, int offset,
{
guint32 len;
dcerpc_info *di;
int old_offset = offset;
di=pinfo->private_data;
if(di->conformant_run){
@ -948,8 +958,10 @@ dissect_browser_TYPE_12_data(tvbuff_t *tvb, int offset,
proto_tree_add_item(tree, hf_browser_unknown_bytes, tvb, offset, len,
FALSE);
offset += len;
if (offset < old_offset)
THROW(ReportedBoundsError);
return len;
return offset;
}
static int
dissect_browser_TYPE_12(tvbuff_t *tvb, int offset,