Blame SOURCES/wireshark-1.10.14-CVE-2015-3813.patch
|
|
dbc6ab |
diff --git a/epan/reassemble.c b/epan/reassemble.c
|
|
|
dbc6ab |
index 5ff9dcf..0838cb1 100644
|
|
|
dbc6ab |
--- a/epan/reassemble.c
|
|
|
dbc6ab |
+++ b/epan/reassemble.c
|
|
|
dbc6ab |
@@ -1008,9 +1008,11 @@ fragment_add_work(fragment_data *fd_head, tvbuff_t *tvb, const int offset,
|
|
|
dbc6ab |
|
|
|
dbc6ab |
/* If we have reached this point, the packet is not defragmented yet.
|
|
|
dbc6ab |
* Save all payload in a buffer until we can defragment.
|
|
|
dbc6ab |
- * XXX - what if we didn't capture the entire fragment due
|
|
|
dbc6ab |
- * to a too-short snapshot length?
|
|
|
dbc6ab |
*/
|
|
|
dbc6ab |
+ if (!tvb_bytes_exist(tvb, offset, fd->len)) {
|
|
|
dbc6ab |
+ g_slice_free(fragment_data, fd);
|
|
|
dbc6ab |
+ THROW(BoundsError);
|
|
|
dbc6ab |
+ }
|
|
|
dbc6ab |
fd->data = (unsigned char *)g_malloc(fd->len);
|
|
|
dbc6ab |
tvb_memcpy(tvb, fd->data, offset, fd->len);
|
|
|
dbc6ab |
LINK_FRAG(fd_head,fd);
|