From 32f0d80988847a51d1401151f635f6878a0f66a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Ruytenberg?= Date: Thu, 1 Jun 2017 19:14:33 +0200 Subject: thread: Fix division by zero MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Perform sanity check on channel count. Channel count must be greater than zero to build energy measurements list from Energy List TLV [1]. Zero channel count results in a division by zero in dissect_thread_mc. Do not process Energy List TLV if zero. [1]: OpenThread implementation - https://github.com/openthread/openthread/blob/b89a9dfbc117a9c80e795700b67/include/openthread/commissioner.h#L158 Energy List TLV contains energy measurements. If no channels are present, no energy measurements can exist. Bug: 13747 Change-Id: I53a19dfbeae9ef0421c8c144ef3be4da28413ad3 Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1979 Reviewed-on: https://code.wireshark.org/review/21878 Petri-Dish: Stig Bjørlykke Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu --- epan/dissectors/packet-thread.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/epan/dissectors/packet-thread.c b/epan/dissectors/packet-thread.c index 835810c2ae..4b5a8abaa8 100644 --- a/epan/dissectors/packet-thread.c +++ b/epan/dissectors/packet-thread.c @@ -1821,7 +1821,7 @@ dissect_thread_mc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *dat proto_tree *it_tree; int i; - if ((chancount != THREAD_MC_INVALID_CHAN_COUNT) && ((tlv_len % chancount) == 0)) { + if ((chancount != THREAD_MC_INVALID_CHAN_COUNT) && (chancount != 0) && ((tlv_len % chancount) == 0)) { /* Go through the number of el_counts of scan */ for (i = 0; i < (int)(tlv_len / (guint16)chancount); i++) { pi = proto_tree_add_item(tlv_tree, hf_thread_mc_tlv_el_count, tvb, offset, 1, ENC_NA); -- cgit v1.2.1