1 files changed, 20 insertions, 6 deletions

diff --git a/epan/dissectors/packet-assa_r3.c b/epan/dissectors/packet-assa_r3.c
index 4abed8ed3e..55f5d381c3 100644
--- a/epan/dissectors/packet-assa_r3.c
+++ b/epan/dissectors/packet-assa_r3.c
@@ -3315,6 +3315,7 @@ static void dissect_r3_upstreamfields (tvbuff_t *tvb, guint32 start_offset _U_,
     guint32 fieldType = tvb_get_guint8 (tvb, offset + 1);
     guint32 dataLength = fieldLength - 2;
     proto_item *upstreamfield_item = NULL;
+    proto_item *upstreamfield_length = NULL;
     proto_tree *upstreamfield_tree = NULL;
     const gchar *usfn = NULL;
 
@@ -3323,9 +3324,15 @@ static void dissect_r3_upstreamfields (tvbuff_t *tvb, guint32 start_offset _U_,
     upstreamfield_item = proto_tree_add_none_format (tree, hf_r3_upstreamfield, tvb, offset + 0, fieldLength, "Upstream Field: %s (%u)", usfn, fieldType);
     upstreamfield_tree = proto_item_add_subtree (upstreamfield_item, ett_r3upstreamfield);
 
-    proto_tree_add_item (upstreamfield_tree, hf_r3_upstreamfieldlength, tvb, offset + 0, 1, ENC_LITTLE_ENDIAN);
+    upstreamfield_length = proto_tree_add_item (upstreamfield_tree, hf_r3_upstreamfieldlength, tvb, offset + 0, 1, ENC_LITTLE_ENDIAN);
     proto_tree_add_item (upstreamfield_tree, hf_r3_upstreamfieldtype, tvb, offset + 1, 1, ENC_LITTLE_ENDIAN);
 
+    if (fieldLength < 2)
+    {
+      dataLength = 0;
+      expert_add_info_format (pinfo, upstreamfield_length, PI_UNDECODED, PI_WARN, "Malformed length value -- all fields are at least 2 octets.");
+    }
+
     offset += 2;
 
     switch (fieldType)
@@ -4654,15 +4661,22 @@ static void dissect_r3_cmd_manageuser (tvbuff_t *tvb, guint32 start_offset, guin
     guint32 paramType = tvb_get_guint8 (payload_tvb, offset + 1);
     guint32 dataLength = paramLength - 2;
     proto_tree *mu_tree = NULL;
+    proto_item *len_field = NULL;
     const gchar *auptn = NULL;
 
     auptn = val_to_str_ext_const (paramType, &r3_adduserparamtypenames_ext, "[Unknown Field]");
 
     mu_tree = proto_item_add_subtree (proto_tree_add_none_format (tree, hf_r3_adduserparamtype, payload_tvb, offset + 0, paramLength, "Manage User Field: %s (%u)", auptn, paramType), ett_r3manageuser);
 
-    proto_tree_add_item (mu_tree, hf_r3_adduserparamtypelength, payload_tvb, offset + 0, 1, ENC_LITTLE_ENDIAN);
+    len_field = proto_tree_add_item (mu_tree, hf_r3_adduserparamtypelength, payload_tvb, offset + 0, 1, ENC_LITTLE_ENDIAN);
     proto_tree_add_item (mu_tree, hf_r3_adduserparamtypetype, payload_tvb, offset + 1, 1, ENC_LITTLE_ENDIAN);
 
+    if (paramLength < 2)
+    {
+      dataLength = 0;
+      expert_add_info_format (pinfo, len_field, PI_UNDECODED, PI_WARN, "Malformed length value -- all fields are at least 2 octets.");
+    }
+
     offset += 2;
 
     switch (paramType)
@@ -4677,14 +4691,14 @@ static void dissect_r3_cmd_manageuser (tvbuff_t *tvb, guint32 start_offset, guin
       case ADDUSERPARAMTYPE_USECOUNT :
       case ADDUSERPARAMTYPE_EXCEPTIONGROUP :
         if (dataLength != 1)
-          expert_add_info_format (pinfo, tree, PI_UNDECODED, PI_WARN, "Malformed field -- expected 1 octet");
+          expert_add_info_format (pinfo, mu_tree, PI_UNDECODED, PI_WARN, "Malformed field -- expected 1 octet");
         else
           proto_tree_add_item (mu_tree, hf_r3_adduserparamtypearray [paramType], payload_tvb, offset, dataLength, TRUE);
         break;
 
       case ADDUSERPARAMTYPE_USERNO :
         if (dataLength != 2)
-          expert_add_info_format (pinfo, tree, PI_UNDECODED, PI_WARN, "Malformed field -- expected 2 octets");
+          expert_add_info_format (pinfo, mu_tree, PI_UNDECODED, PI_WARN, "Malformed field -- expected 2 octets");
         else
           proto_tree_add_item (mu_tree, hf_r3_adduserparamtypearray [paramType], payload_tvb, offset, dataLength, TRUE);
         break;
@@ -4700,7 +4714,7 @@ static void dissect_r3_cmd_manageuser (tvbuff_t *tvb, guint32 start_offset, guin
           proto_tree *expireon_tree = NULL;
 
           if (dataLength != 3)
-            expert_add_info_format (pinfo, tree, PI_UNDECODED, PI_WARN, "Malformed expiration field -- expected 3 octets");
+            expert_add_info_format (pinfo, mu_tree, PI_UNDECODED, PI_WARN, "Malformed expiration field -- expected 3 octets");
           else
           {
             expireon_item = proto_tree_add_text (mu_tree, payload_tvb, offset, 3, "Expire YY/MM/DD: %02u/%02u/%02u",
@@ -4722,7 +4736,7 @@ static void dissect_r3_cmd_manageuser (tvbuff_t *tvb, guint32 start_offset, guin
           proto_tree *timezone_tree = NULL;
 
           if (dataLength != 4)
-            expert_add_info_format (pinfo, tree, PI_UNDECODED, PI_WARN, "Malformed timezone field -- expected 4 octets");
+            expert_add_info_format (pinfo, mu_tree, PI_UNDECODED, PI_WARN, "Malformed timezone field -- expected 4 octets");
           else
           {
             tz = tvb_get_letohl (payload_tvb, offset);