Fix underflow causing infinite loop in openflow dissector

Bug:10208
Change-Id: I8aff9523fd33cf9e0802153100ea032139966b26
Reviewed-on: https://code.wireshark.org/review/2440
Reviewed-by: Evan Huus <eapache@gmail.com>
(cherry picked from commit 592c3673c63561c5126885933e64d734e0572769)
Reviewed-on: https://code.wireshark.org/review/2441

1 files changed, 9 insertions, 4 deletions

diff --git a/epan/dissectors/packet-openflow_v5.c b/epan/dissectors/packet-openflow_v5.c
index 410d95c82d..1a8c6609a6 100644
--- a/epan/dissectors/packet-openflow_v5.c
+++ b/epan/dissectors/packet-openflow_v5.c
@@ -1455,17 +1455,22 @@ dissect_openflow_hello_element_v5(tvbuff_t *tvb, packet_info *pinfo _U_, proto_t
     proto_tree_add_item(elem_tree, hf_openflow_v5_hello_element_length, tvb, offset, 2, ENC_BIG_ENDIAN);
     offset+=2;
 
+    if (elem_length >= 4) {
+        elem_length -= 4;
+        /* Otherwise expert info? */
+    }
+
     switch (elem_type) {
     case OFPHET_VERSIONBITMAP:
         /* bitmap */
-        proto_tree_add_item(elem_tree, hf_openflow_v5_hello_element_version_bitmap, tvb, offset, elem_length - 4, ENC_NA);
-        offset += elem_length - 4;
+        proto_tree_add_item(elem_tree, hf_openflow_v5_hello_element_version_bitmap, tvb, offset, elem_length, ENC_NA);
+        offset += elem_length;
         break;
 
     default:
         proto_tree_add_expert_format(tree, pinfo, &ei_openflow_v5_hello_element_undecoded,
-                                     tvb, offset, elem_length - 4, "Unknown hello element body.");
-        offset += elem_length - 4;
+                                     tvb, offset, elem_length, "Unknown hello element body.");
+        offset += elem_length;
         break;
     }