USB: Sanity check Darwin USB header to prevent infinite loop.

Bug: 14421
Change-Id: Ifb492b776182507c10664d067f99312af250e6ff
Reviewed-on: https://code.wireshark.org/review/25872
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michael Mann <mmann78@netscape.net>

diff --git a/epan/dissectors/packet-usb.c b/epan/dissectors/packet-usb.c
index e075b5ff56b1b57d05b65276fd831ef4c36c32c4..d7f53b7a10a930f667e91c5f6c0488a4c64526ef 100644 (file)
--- a/epan/dissectors/packet-usb.c
+++ b/epan/dissectors/packet-usb.c
@@ -4253,7 +4253,7 @@ dissect_darwin_usb_iso_transfer(packet_info *pinfo _U_, proto_tree *tree, usb_he
         frame_header_length = tvb_get_guint32(tvb, offset, ENC_LITTLE_ENDIAN);
         frame_length        = tvb_get_guint32(tvb, offset + 4, ENC_LITTLE_ENDIAN);
 
-        if (len < frame_header_length) {
+        if ((len < frame_header_length) || (frame_header_length < 20)) {
             break;
         }