Fix infinite loop for when port max range is -1

Due to integer overflow (unsigned -1 + 1 = 0), a call to dissector_add_uint_range would be stuck in an infinite loop, eventually crashing due to out of memory. Found when setting radius.alternate_port:-1, but could happen with any dissector using similar ports_range constructs. Change-Id: Ia234e94516446250e959e0f51d552bef704cddff Reviewed-on: https://code.wireshark.org/review/13153 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2016-01-09 15:27:14 +01:00 · 2016-01-09 15:27:14 +01:00 · a5a2c3c04f
parent f83e20202f
commit a5a2c3c04f
1 changed files with 4 additions and 2 deletions
--- a/epan/packet.c
+++ b/epan/packet.c
@ -952,8 +952,9 @@ void dissector_add_uint_range(const char *abbrev, range_t *range,

 	if (range) {
 		for (i = 0; i < range->nranges; i++) {
-			for (j = range->ranges[i].low; j <= range->ranges[i].high; j++)
+			for (j = range->ranges[i].low; j < range->ranges[i].high; j++)
 				dissector_add_uint(abbrev, j, handle);
+			dissector_add_uint(abbrev, range->ranges[i].high, handle);
 		}
 	}
 }
@ -997,8 +998,9 @@ void dissector_delete_uint_range(const char *abbrev, range_t *range,

 	if (range) {
 		for (i = 0; i < range->nranges; i++) {
-			for (j = range->ranges[i].low; j <= range->ranges[i].high; j++)
+			for (j = range->ranges[i].low; j < range->ranges[i].high; j++)
 				dissector_delete_uint(abbrev, j, handle);
+			dissector_delete_uint(abbrev, range->ranges[i].high, handle);
 		}
 	}
 }