Make sure there's enough data in the header for a FMTP packet.

Bug: 12285
Change-Id: I103dff37b34f922ac5c3071c49b7dfe55b059717
Reviewed-on: https://code.wireshark.org/review/14634
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 7 insertions, 2 deletions

diff --git a/epan/dissectors/packet-fmtp.c b/epan/dissectors/packet-fmtp.c
index 0f1aa764bc..54c64bc5bd 100644
--- a/epan/dissectors/packet-fmtp.c
+++ b/epan/dissectors/packet-fmtp.c
@@ -3,7 +3,7 @@
  * Routines for FMTP version 2 packet dissection.
  *
  * The specifications of this public protocol can be found on Eurocontrol web site:
- * http://www.eurocontrol.int/ses/public/standard_page/fmtp_spec.html
+ * http://www.eurocontrol.int/sites/default/files/publication/files/20070614-fmtp-spec-v2.0.pdf
  *
  * Copyright 2011, Christophe Paletou <c.paletou@free.fr>
  *
@@ -135,6 +135,10 @@ get_fmtp_message_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *da
 static gboolean
 dissect_fmtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
 {
+    guint16 length;
+
+    if (tvb_captured_length(tvb) < 5)
+        return FALSE;
     /*
      * Check that packet looks like FMTP before going further
      */
@@ -142,8 +146,9 @@ dissect_fmtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
     if (tvb_get_guint8(tvb, 0) != 0x02) return (FALSE);
     /* RESERVED must currently be 0x00 */
     if (tvb_get_guint8(tvb, 1) != 0x00) return (FALSE);
+    length = tvb_get_ntohs(tvb, 2);
     /* LENGTH must currently not exceed 5 (header) + 10240 (data) */
-    if (tvb_get_ntohs(tvb, 2) > FMTP_MAX_LEN) return (FALSE);
+    if ((length > FMTP_MAX_LEN) || (length < FMTP_HEADER_LEN)) return (FALSE);
     /* TYP must currently be in range 0x01-0x04 */
     if ((tvb_get_guint8(tvb, 4) < 0x01) || (tvb_get_guint8(tvb, 4) > 0x04))
         return (FALSE);