From efe920af3a9f4d7a35c427ceaf4f95e31050f4d3 Mon Sep 17 00:00:00 2001
From: Dario Lombardo <lomato@gmail.com>
Date: Mon, 18 Feb 2019 14:34:28 +0100
Subject: [PATCH] netscaler: fix crash when reading malformed packets.

When reading a malformed packet, it can occur that we go close to
the end of the buffer. We need to check if we have 2 bytes before
reading a uint16.

Bug: 15497
Change-Id: I2b00f44933ca11b925ffbf05b9855684feebcda5
Reviewed-on: https://code.wireshark.org/review/32028
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 wiretap/netscaler.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c
index c8feb1bbcb..fb36020fe6 100644
--- a/wiretap/netscaler.c
+++ b/wiretap/netscaler.c
@@ -890,6 +890,12 @@ nspm_signature_version(wtap *wth, gchar *nstrace_buf, gint32 len)
         {\
             while (nstrace_buf_offset < nstrace_buflen)\
             {\
+                /* check whether we have enough room to retrieve the recordType */\
+                if (nstrace_buflen - nstrace_buf_offset < 2) {\
+                    *err = WTAP_ERR_BAD_FILE; \
+                    *err_info = g_strdup("nstrace: malformed packet");\
+                    return FALSE;\
+                }\
                 nspr_hd_v##ver##_t *fp = (nspr_hd_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\
                 switch (nspr_getv##ver##recordtype(fp))\
                 {\