[OpenSafety] Bugfix invalid length calculation.

Length calculation leads to -1, which will result in a large malloc https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1212 Bug: 13649 Change-Id: Iccb78b8c8ec9ca8e8f97bc12d0d8f41526d1f791 Reviewed-on: https://code.wireshark.org/review/21367 Reviewed-by: Roland Knall <rknall@gmail.com> Petri-Dish: Roland Knall <rknall@gmail.com> Reviewed-by: Michael Mann <mmann78@netscape.net>
2017-04-27 09:15:01 -04:00 · 2017-04-27 09:15:01 -04:00 · f643169504
parent a1152a2a1f
commit f643169504
1 changed files with 7 additions and 0 deletions
--- a/epan/dissectors/packet-opensafety.c
+++ b/epan/dissectors/packet-opensafety.c
@ -1286,6 +1286,13 @@ dissect_opensafety_ssdo_message(tvbuff_t *message_tvb, packet_info *pinfo, proto
            else
            {
                payloadSize = dataLength - (payloadOffset - db0Offset);
+                if ((gint)dataLength < (payloadOffset - db0Offset))
+                {
+                    if ( global_opensafety_debug_verbose )
+                        expert_add_info_format(pinfo, opensafety_item, &ei_payload_length_not_positive,
+                                                    "Calculation for payload length yielded non-positive result [%d]", (gint)payloadSize );
+                    return;
+                }

                if ( fragmentId != 0 && packet->payload.ssdo->sacmd.segmented )
                {