CDP: Don't read outside payload for Port ID

Check if tvb remaining length is greater than expected length. Bug: 12767 Change-Id: Ia04b559432af417db519cfcfbec06e6010b496bf Reviewed-on: https://code.wireshark.org/review/17208 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
2016-08-21 17:27:39 +02:00 · 2016-08-21 17:27:39 +02:00 · dc42aadcac
parent 3509b072a6
commit dc42aadcac
1 changed files with 2 additions and 1 deletions
--- a/epan/dissectors/packet-cdp.c
+++ b/epan/dissectors/packet-cdp.c
@ -378,7 +378,8 @@ dissect_cdp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)

        case TYPE_PORT_ID:
            real_length = length;
-            if (tvb_get_guint8(tvb, offset + real_length) != 0x00) {
+            if ((tvb_reported_length_remaining(tvb, offset) >= length + 3) &&
+                (tvb_get_guint8(tvb, offset + real_length) != 0x00)) {
                /* The length in the TLV doesn't appear to be the
                   length of the TLV, as the byte just past it
                   isn't the first byte of a 2-byte big-endian