From c8df8a78acb970ba4807c05de9627c84913e89e7 Mon Sep 17 00:00:00 2001
From: Jeff Morriss <jeff.morriss@ulticom.com>
Date: Sat, 3 Oct 2009 03:09:53 +0000
Subject: Since chunk_size is now unsigned, check to ensure that it is not "too
 big." (Prior to rev 30233 there was a check to make sure it was not negative.
 This effectively puts that same check back in.)

Fixes the fuzz failure seen in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4083

svn path=/trunk/; revision=30260
---
 epan/req_resp_hdrs.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

(limited to 'epan/req_resp_hdrs.c')

diff --git a/epan/req_resp_hdrs.c b/epan/req_resp_hdrs.c
index 787371921a..7c6588e2fe 100644
--- a/epan/req_resp_hdrs.c
+++ b/epan/req_resp_hdrs.c
@@ -130,8 +130,8 @@ req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo,
 				pinfo->desegment_offset = offset;
 				pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
 				return FALSE;
-			} 
-                        
+			}
+
                         if (linelen == 0) {
 				/*
 				 * We found the end of the headers.
@@ -286,7 +286,7 @@ req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo,
 					 pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
 					 return FALSE;
 				}
-				
+
 				/* We have a line with the chunk size in it.*/
 				chunk_string = tvb_get_ephemeral_string(tvb, next_offset,
 				    linelen);
@@ -305,6 +305,11 @@ req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo,
 					 */
 					return TRUE;
 				}
+				if (chunk_size > 2<<31) {
+					/* Chunk size is unreasonable. */
+					/* XXX What /is/ reasonable? */
+					return TRUE;
+				}
 
 				if (chunk_size == 0) {
 					/*
@@ -313,7 +318,7 @@ req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo,
 					 */
 					linelen = tvb_find_line_end(tvb,
 					    chunk_offset, -1, &chunk_offset, TRUE);
-						
+
 					if (linelen == -1 &&
 					    length_remaining >=
 					    reported_length_remaining) {
@@ -326,20 +331,20 @@ req_resp_hdrs_do_reassembly(tvbuff_t *tvb, const int offset, packet_info *pinfo,
 					pinfo->desegment_len = 0;
 					done_chunking = TRUE;
 				} else {
-					/* 
+					/*
 					 * Skip to the next chunk if we
-					 * already have it 
+					 * already have it
 					 */
 					if (reported_length_remaining >
 					        (gint) chunk_size) {
-						
-						next_offset = chunk_offset 
+
+						next_offset = chunk_offset
 						    + chunk_size + 2;
 					} else {
-						/* 
+						/*
 						 * Fetch this chunk, plus the
 						 * trailing CRLF.
-						 */ 
+						 */
 						pinfo->desegment_offset = offset;
 						pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT;
 						return FALSE;
-- 
cgit v1.2.1