forked from osmocom/wireshark
ber: fix buffer overrun (read) in dissect_ber_constrained_bitstring
The length is an unsigned integer, but some users (such as tvb_memdup) expect signed integers and treat negative values specially. Bug: 14682 Change-Id: Ic3330d23d964b5cc44718b61c8985880f901674d Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8011 Reviewed-on: https://code.wireshark.org/review/27562 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
parent
9ee790e99c
commit
df5a8b29bb
|
@ -3905,11 +3905,11 @@ dissect_ber_constrained_bitstring(gboolean implicit_tag, asn1_ctx_t *actx, proto
|
|||
len = tvb_reported_length_remaining(tvb, offset);
|
||||
end_offset = offset+len;
|
||||
}
|
||||
if (len == 0) {
|
||||
if ((int)len <= 0) {
|
||||
proto_tree_add_expert_format(
|
||||
parent_tree, actx->pinfo, &ei_ber_constr_bitstr, tvb, offset, len,
|
||||
"dissect_ber_constrained_bitstring(): frame:%u offset:%d Was passed an illegal length of 0",
|
||||
actx->pinfo->num, offset);
|
||||
"dissect_ber_constrained_bitstring(): frame:%u offset:%d Was passed an illegal length of %d",
|
||||
actx->pinfo->num, offset, len);
|
||||
return offset;
|
||||
}
|
||||
actx->created_item = NULL;
|
||||
|
|
Loading…
Reference in New Issue