diff options
author | Uli Heilmeier <uh@heilmeier.eu> | 2016-08-21 17:27:39 +0200 |
---|---|---|
committer | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2016-08-21 17:44:49 +0000 |
commit | dc42aadcac2636df4c15f8650b668503911e3017 (patch) | |
tree | 07e95ff687c2a3b1b8d9b141adc83932411e9e6d /epan | |
parent | 3509b072a6e3e3df50390860e657ccb468a6fee1 (diff) | |
download | wireshark-dc42aadcac2636df4c15f8650b668503911e3017.tar.gz |
CDP: Don't read outside payload for Port ID
Check if tvb remaining length is greater than expected length.
Bug: 12767
Change-Id: Ia04b559432af417db519cfcfbec06e6010b496bf
Reviewed-on: https://code.wireshark.org/review/17208
Petri-Dish: Jim Young <jim.young.ws@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-cdp.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/epan/dissectors/packet-cdp.c b/epan/dissectors/packet-cdp.c index 9cd59d06cb..460d623bd1 100644 --- a/epan/dissectors/packet-cdp.c +++ b/epan/dissectors/packet-cdp.c @@ -378,7 +378,8 @@ dissect_cdp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) case TYPE_PORT_ID: real_length = length; - if (tvb_get_guint8(tvb, offset + real_length) != 0x00) { + if ((tvb_reported_length_remaining(tvb, offset) >= length + 3) && + (tvb_get_guint8(tvb, offset + real_length) != 0x00)) { /* The length in the TLV doesn't appear to be the length of the TLV, as the byte just past it isn't the first byte of a 2-byte big-endian |