From 37667ae337f2ef1b62db000c0dc3b4ac42128aa5 Mon Sep 17 00:00:00 2001 From: Gerald Combs Date: Mon, 29 Nov 2004 17:52:38 +0000 Subject: [PATCH] Check for an overly large header length value in order to avoid an integer overflow. svn path=/trunk/; revision=12619 --- epan/dissectors/packet-isakmp.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/epan/dissectors/packet-isakmp.c b/epan/dissectors/packet-isakmp.c index 9217cca11f..0b65ba76cc 100644 --- a/epan/dissectors/packet-isakmp.c +++ b/epan/dissectors/packet-isakmp.c @@ -470,11 +470,11 @@ dissect_payloads(tvbuff_t *tvb, proto_tree *tree, guint8 initial_payload, static void dissect_isakmp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { - int offset = 0; + int offset = 0, len; struct isakmp_hdr hdr; proto_item * ti; proto_tree * isakmp_tree = NULL; - guint32 len; +g_warning("in isakmp"); if (check_col(pinfo->cinfo, COL_PROTOCOL)) col_set_str(pinfo->cinfo, COL_PROTOCOL, "ISAKMP"); @@ -551,12 +551,19 @@ dissect_isakmp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) return; } + len = hdr.length - sizeof(hdr); + + if (len < 0) { + proto_tree_add_text(isakmp_tree, tvb, offset, sizeof(hdr.length), + "Length: (bogus, length is %u, which is too large)", + hdr.length); + return; + } + proto_tree_add_text(isakmp_tree, tvb, offset, sizeof(hdr.length), "Length: %u", hdr.length); offset += sizeof(hdr.length); - len = hdr.length - sizeof(hdr); - if (hdr.flags & E_FLAG) { if (len && isakmp_tree) { proto_tree_add_text(isakmp_tree, tvb, offset, len,