Comment # 5
on bug 12119
from Diederik de Groot
(In reply to Michael Mann from comment #4)
> I think the best solution would be to try to get the "tap data" (si
> variable) as close to the top of a function as possible. Then you could put
> a if (ptvcursor_tree(cursor) == NULL) right after all of the uses.
> Hopefully that can eliminate all of the loops.
> Barring that, you need to have sanity checks after grabbing any loop value
> from the packet and checking if its loop size is too big for the packet.
> Using this capture as an example, in handle_UpdateCapabilitiesV3Message,
> there should be a check if (audioCapCount * "size of audio capability
> structure") is greater than reported length of tvb, then return from
> function.
Would adding this do the trick (3rd line)?
guint32 counter_1 = 0;
ptvcursor_add_text_with_subtree(cursor, SUBTREE_UNDEFINED_LENGTH,
ett_skinny_tree, "caps [ref: capCount = %d, max:18]", capCount);
if (hdr_data_length - ptvcursor_current_offset(cursor) >= (capCount * 16)
&& capCount <= 18) { /* tvb size guard */
for (counter_1 = 0; counter_1 < 18; counter_1++) {
...
}
}
Where would you like me to add the ptvcursor_tree(cursor) != NULL check, after
adding the subtree cursor ?
You are receiving this mail because:
- You are watching all bug changes.