ber: clamp BER lengths to avoid integer overflow
Many callers treat the length as signed integer, so ensure that the length fits in such a number. Failure to do so can have unintended consequences (such as calling "tvb_memdup(tvb, 0, -1)" and assuming that the length is actually 2^32-1). Although an exception could be thrown as well, let's give the caller a chance to handle this themselves. Change-Id: If92545f7d3603250f75741040435000ba879b7e3 Ping-Bug: 14682 Reviewed-on: https://code.wireshark.org/review/27563 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
parent
df5a8b29bb
commit
67c6420473
|
@ -1346,6 +1346,11 @@ try_get_ber_length(tvbuff_t *tvb, int offset, guint32 *length, gboolean *ind, gi
|
|||
}
|
||||
}
|
||||
|
||||
/* Several users treat the length as signed value, clamp the value to avoid
|
||||
* an overflow to negative values. */
|
||||
if (tmp_length > (guint32)G_MAXINT32)
|
||||
tmp_length = (guint32)G_MAXINT32;
|
||||
|
||||
if (length)
|
||||
*length = tmp_length;
|
||||
if (ind)
|
||||
|
|
Loading…
Reference in New Issue