CDP: Don't read outside payload for Port ID

Check if tvb remaining length is greater than expected length. Bug: 12767 Change-Id: Ia04b559432af417db519cfcfbec06e6010b496bf Reviewed-on: https://code.wireshark.org/review/17208 Petri-Dish: Jim Young <jim.young.ws@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
author: Uli Heilmeier <uh@heilmeier.eu> 2016-08-21 17:27:39 +0200
committer: Alexis La Goutte <alexis.lagoutte@gmail.com> 2016-08-21 17:44:49 +0000
commit: dc42aadcac2636df4c15f8650b668503911e3017 (patch)
tree: 07e95ff687c2a3b1b8d9b141adc83932411e9e6d /epan
parent: 3509b072a6e3e3df50390860e657ccb468a6fee1 (diff)
download: wireshark-dc42aadcac2636df4c15f8650b668503911e3017.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/epan/dissectors/packet-cdp.c b/epan/dissectors/packet-cdp.c
index 9cd59d06cb..460d623bd1 100644
--- a/epan/dissectors/packet-cdp.c
+++ b/epan/dissectors/packet-cdp.c
@@ -378,7 +378,8 @@ dissect_cdp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
 
         case TYPE_PORT_ID:
             real_length = length;
-            if (tvb_get_guint8(tvb, offset + real_length) != 0x00) {
+            if ((tvb_reported_length_remaining(tvb, offset) >= length + 3) &&
+                (tvb_get_guint8(tvb, offset + real_length) != 0x00)) {
                 /* The length in the TLV doesn't appear to be the
                    length of the TLV, as the byte just past it
                    isn't the first byte of a 2-byte big-endian
author	Uli Heilmeier <uh@heilmeier.eu>	2016-08-21 17:27:39 +0200
committer	Alexis La Goutte <alexis.lagoutte@gmail.com>	2016-08-21 17:44:49 +0000
commit	dc42aadcac2636df4c15f8650b668503911e3017 (patch)
tree	07e95ff687c2a3b1b8d9b141adc83932411e9e6d /epan
parent	3509b072a6e3e3df50390860e657ccb468a6fee1 (diff)
download	wireshark-dc42aadcac2636df4c15f8650b668503911e3017.tar.gz