In tvb_get_string(), throw an exception if our length is less than zero.

Add a message block length check to the AIM dissector. svn path=/trunk/; revision=13955
2005-03-28 15:55:47 +00:00 · 2005-03-28 15:55:47 +00:00 · 131ab36a32
parent 9d6ac60cef
commit 131ab36a32
2 changed files with 11 additions and 2 deletions
--- a/epan/dissectors/packet-aim.c
+++ b/epan/dissectors/packet-aim.c
@ -1189,6 +1189,11 @@ int dissect_aim_tlv_value_messageblock (proto_item *ti, guint16 valueid _U_, tvb
    
    /* Block length (includes charset and charsubset) */
    blocklen = tvb_get_ntohs(tvb, offset);
+    if (blocklen <= 4) {
+      proto_tree_add_text(entry, tvb, offset, 2, "Invalid block length: %d",
+        blocklen);
+      break;
+    }
    proto_tree_add_item(entry, hf_aim_messageblock_len, tvb, offset, 2,
 			FALSE);
    offset += 2;
--- a/epan/tvbuff.c
+++ b/epan/tvbuff.c
@ -1711,12 +1711,16 @@ guint8 *
 tvb_get_string(tvbuff_t *tvb, gint offset, gint length)
 {
 	const guint8 *ptr;
-	guint8 *strbuf;
+	guint8 *strbuf = NULL;
+
+	if (length < 0)
+		THROW(DissectorError);

 	ptr = ensure_contiguous(tvb, offset, length);
 	strbuf = g_malloc(length + 1);
-	if (length != 0)
+	if (length != 0) {
 		memcpy(strbuf, ptr, length);
+	}
 	strbuf[length] = '\0';
 	return strbuf;
 }