tvb_length_remaining() can return a negative number, so be sure to handle it. Fixes Coverity CID's 280233-280235.

svn path=/trunk/; revision=42839

1 files changed, 13 insertions, 1 deletions

diff --git a/asn1/snmp/packet-snmp-template.c b/asn1/snmp/packet-snmp-template.c
index 060bf72f67..3f236977c7 100644
--- a/asn1/snmp/packet-snmp-template.c
+++ b/asn1/snmp/packet-snmp-template.c
@@ -1276,6 +1276,10 @@ snmp_usm_auth_md5(snmp_usm_params_t* p, guint8** calc_auth_p, guint* calc_auth_l
 	}
 
 	msg_len = tvb_length_remaining(p->msg_tvb,0);
+	if (msg_len <= 0) {
+		*error = "Not enough data remaining";
+		return FALSE;
+	}
 	msg = ep_tvb_memdup(p->msg_tvb,0,msg_len);
 
 
@@ -1337,6 +1341,10 @@ snmp_usm_auth_sha1(snmp_usm_params_t* p _U_, guint8** calc_auth_p, guint* calc_a
 	}
 
 	msg_len = tvb_length_remaining(p->msg_tvb,0);
+	if (msg_len <= 0) {
+		*error = "Not enough data remaining";
+		return FALSE;
+	}
 	msg = ep_tvb_memdup(p->msg_tvb,0,msg_len);
 
 	auth = ep_tvb_memdup(p->auth_tvb,0,auth_len);
@@ -1396,7 +1404,7 @@ snmp_usm_priv_des(snmp_usm_params_t* p _U_, tvbuff_t* encryptedData _U_, gchar c
 
 	cryptgrm_len = tvb_length_remaining(encryptedData,0);
 
-	if (cryptgrm_len % 8) {
+	if ((cryptgrm_len <= 0) || (cryptgrm_len % 8)) {
 		*error = "decryptionError: the length of the encrypted data is not a mutiple of 8 octets";
 		return NULL;
 	}
@@ -1466,6 +1474,10 @@ snmp_usm_priv_aes(snmp_usm_params_t* p _U_, tvbuff_t* encryptedData _U_, gchar c
 	tvb_memcpy(p->priv_tvb,&(iv[8]),0,8);
 
 	cryptgrm_len = tvb_length_remaining(encryptedData,0);
+	if (cryptgrm_len <= 0) {
+		*error = "Not enough data remaining";
+		return NULL;
+	}
 	cryptgrm = ep_tvb_memdup(encryptedData,0,-1);
 
 	cleartext = ep_alloc(cryptgrm_len);