From dc42aadcac2636df4c15f8650b668503911e3017 Mon Sep 17 00:00:00 2001
From: Uli Heilmeier <uh@heilmeier.eu>
Date: Sun, 21 Aug 2016 17:27:39 +0200
Subject: CDP: Don't read outside payload for Port ID

Check if tvb remaining length is greater than expected length.

Bug: 12767
Change-Id: Ia04b559432af417db519cfcfbec06e6010b496bf
Reviewed-on: https://code.wireshark.org/review/17208
Petri-Dish: Jim Young <jim.young.ws@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
---
 epan/dissectors/packet-cdp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'epan/dissectors/packet-cdp.c')

diff --git a/epan/dissectors/packet-cdp.c b/epan/dissectors/packet-cdp.c
index 9cd59d06cb..460d623bd1 100644
--- a/epan/dissectors/packet-cdp.c
+++ b/epan/dissectors/packet-cdp.c
@@ -378,7 +378,8 @@ dissect_cdp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
 
         case TYPE_PORT_ID:
             real_length = length;
-            if (tvb_get_guint8(tvb, offset + real_length) != 0x00) {
+            if ((tvb_reported_length_remaining(tvb, offset) >= length + 3) &&
+                (tvb_get_guint8(tvb, offset + real_length) != 0x00)) {
                 /* The length in the TLV doesn't appear to be the
                    length of the TLV, as the byte just past it
                    isn't the first byte of a 2-byte big-endian
-- 
cgit v1.2.3