diff options
authorPeter Wu <peter@lekensteyn.nl>2018-05-14 12:27:15 +0200
committerAnders Broman <a.broman58@gmail.com>2018-05-14 13:07:23 +0000
commitd80acae40d14efeb857258ca923637b590dd6be9 (patch)
parent17647c4041cfe05dbd5e08d68662007b1e8e4146 (diff)
tvbuff: make tvb_bytes_exist fail with negative values
tvb_generic_clone_offset_len uses tvb_bytes_exist to check that the requested tvb data is actually available. It did not expect negative values, that would result in an overly large memory allocation. Bug: 14678 Change-Id: Ie80095a381e55ca5dbbd5c9d835243549d0b212e Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7179 Reviewed-on: https://code.wireshark.org/review/27526 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Anders Broman <a.broman58@gmail.com>
1 files changed, 7 insertions, 0 deletions
diff --git a/epan/tvbuff.c b/epan/tvbuff.c
index 44eff8415f..2711b8e202 100644
--- a/epan/tvbuff.c
+++ b/epan/tvbuff.c
@@ -552,6 +552,13 @@ tvb_bytes_exist(const tvbuff_t *tvb, const gint offset, const gint length)
DISSECTOR_ASSERT(tvb && tvb->initialized);
+ /*
+ * Negative lengths are not possible and indicate a bug (e.g. arithmetic
+ * error or an overly large value from packet data).
+ */
+ if (length < 0)
+ return FALSE;
exception = check_offset_length_no_exception(tvb, offset, length, &abs_offset, &abs_length);
if (exception)
return FALSE;