Limit the number of operations to 128 (arbitrary number) to keep us from attempting to mallocate way too much memory. This fixes the fuzz failure reported in bug 4976.

svn path=/trunk/; revision=33456

epan/dissectors/packet-nfs.c

@@ -41,6 +41,7 @@
 #include <epan/emem.h>
 #include <epan/strutil.h>
 #include <epan/crc32.h>
+#include <epan/expert.h>
 
 #include <epan/crc16.h>
 #include <glib.h>
@@ -8948,12 +8949,22 @@ dissect_nfs_argop4(tvbuff_t *tvb, int offset, packet_info *pinfo,
 
 	ops = tvb_get_ntohl(tvb, offset+0);
 
-	op_summary=g_malloc(sizeof(nfsv4_operation_summary) * ops);
-	
 	fitem = proto_tree_add_uint_format(tree, hf_nfs_ops_count4, tvb, offset+0, 4, ops,
 		"Operations (count: %u)", ops);
 	offset += 4;
 
+#define MAX_NFSV4_OPS 128
+	if (ops > MAX_NFSV4_OPS) {
+		/*  Limit the number of operations to something "reasonable."
+		 *  This is an arbitrary number to keep us from attempting to
+		 *  allocate too much memory below.
+		 */
+		expert_add_info_format(pinfo, fitem, PI_MALFORMED, PI_NOTE, "Too many operations");
+		ops = MAX_NFSV4_OPS;
+	}
+
+	op_summary = g_malloc(sizeof(nfsv4_operation_summary) * ops);
+
 	if (fitem) {
 		ftree = proto_item_add_subtree(fitem, ett_nfs_argop4);
 	}
@@ -9579,12 +9590,17 @@ dissect_nfs_resop4(tvbuff_t *tvb, int offset, packet_info *pinfo,
 
 	ops = tvb_get_ntohl(tvb, offset+0);
 
-	op_summary=g_malloc(sizeof(nfsv4_operation_summary) * ops);
-
 	fitem = proto_tree_add_uint_format(tree, hf_nfs_ops_count4, tvb, offset+0, 4, ops,
 		"Operations (count: %u)", ops);
 	offset += 4;
 
+	if (ops > MAX_NFSV4_OPS) {
+		expert_add_info_format(pinfo, fitem, PI_MALFORMED, PI_NOTE, "Too many operations");
+		ops = MAX_NFSV4_OPS;
+	}
+
+	op_summary = g_malloc(sizeof(nfsv4_operation_summary) * ops);
+
 	if (fitem) {
 		ftree = proto_item_add_subtree(fitem, ett_nfs_resop4);
 	}