Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7701 :

Do sanity check on option length earlier

svn path=/trunk/; revision=44785

diff --git a/epan/dissectors/packet-bootp.c b/epan/dissectors/packet-bootp.c
index 7f1d3c89cb21fc4fe8d58e51b26e62103d2479b1..40f11f4da13ba8d8968ee484e11352a59bed0278 100644 (file)
--- a/epan/dissectors/packet-bootp.c
+++ b/epan/dissectors/packet-bootp.c
@@ -2093,6 +2093,10 @@ bootp_option(tvbuff_t *tvb, packet_info *pinfo, proto_tree *bp_tree, int voff,
                                while (optoff < optend) {
                                        name_len = tvb_get_guint8(tvb, optoff);
                                        string = tvb_get_ephemeral_stringz(tvb, optoff+1, &len);
+                                       if ((optoff+len+1) > optend) {
+                                               expert_add_info_format(pinfo, vti, PI_PROTOCOL, PI_ERROR, "length goes beyond option end");
+                                               break;
+                                       }
                                        while (name_len < (len-1)) {
                                                tmp = name_len;
                                                name_len = name_len + string[tmp] + 1;
@@ -2100,10 +2104,6 @@ bootp_option(tvbuff_t *tvb, packet_info *pinfo, proto_tree *bp_tree, int voff,
                                        }
                                        proto_tree_add_string(v_tree, hf_bootp_option_sip_server_name, tvb, optoff, len+1, string);
                                        optoff += len+1;
-                                       if (optoff > optend) {
-                                               expert_add_info_format(pinfo, vti, PI_PROTOCOL, PI_ERROR, "length goes beyond option end");
-                                               break;
-                                       }
                                }
                                }
                                break;