File wireshark-CVE-2015-3813.patch of Package wireshark.651

Overview Repositories Revisions Requests Users Attributes Meta

File wireshark-CVE-2015-3813.patch of Package wireshark.651

Index: wireshark-1.10.14/epan/reassemble.c
===================================================================
--- wireshark-1.10.14.orig/epan/reassemble.c
+++ wireshark-1.10.14/epan/reassemble.c
@@ -1008,10 +1008,12 @@ fragment_add_work(fragment_data *fd_head
 
 	/* If we have reached this point, the packet is not defragmented yet.
 	 * Save all payload in a buffer until we can defragment.
-	 * XXX - what if we didn't capture the entire fragment due
-	 * to a too-short snapshot length?
 	 */
-	fd->data = (unsigned char *)g_malloc(fd->len);
+	if (!tvb_bytes_exist(tvb, offset, fd->len)) {
+		g_slice_free(fragment_data, fd);
+		THROW(BoundsError);
+	}
+        fd->data = (unsigned char *)g_malloc(fd->len);
 	tvb_memcpy(tvb, fd->data, offset, fd->len);
 	LINK_FRAG(fd_head,fd);
 
@@ -1719,11 +1721,16 @@ fragment_add_seq_work(fragment_data *fd_
 
 	/* If we have reached this point, the packet is not defragmented yet.
 	 * Save all payload in a buffer until we can defragment.
-	 * XXX - what if we didn't capture the entire fragment due
-	 * to a too-short snapshot length?
 	 */
 	/* check len, there may be a fragment with 0 len, that is actually the tail */
 	if (fd->len) {
+                if (!tvb_bytes_exist(tvb, offset, fd->len)) {
+                        /* abort if we didn't capture the entire fragment due
+                         * to a too-short snapshot length */
+                        g_slice_free(fragment_data, fd);
+                        return FALSE;
+                }
+
 		fd->data = (unsigned char *)g_malloc(fd->len);
 		tvb_memcpy(tvb, fd->data, offset, fd->len);
 	}

Places

File wireshark-CVE-2015-3813.patch of Package wireshark.651

Places