Check for an invalid MCC length. Fixes bug 4212.

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@30936 f5534014-38df-0310-8fa8-9805f1628bb7

diff --git a/epan/dissectors/packet-btrfcomm.c b/epan/dissectors/packet-btrfcomm.c
index fe8fdc5c90bab9de2360c4865397475b34141b89..a9782e8e65fb0c91aa84643b733d0e83698ab23e 100644 (file)
--- a/epan/dissectors/packet-btrfcomm.c
+++ b/epan/dissectors/packet-btrfcomm.c
@@ -51,6 +51,7 @@
 #include <epan/value_string.h>
 #include <etypes.h>
 #include <epan/emem.h>
+#include <epan/expert.h>
 #include "packet-btl2cap.h"
 
 static int hf_pf = -1;
@@ -693,20 +694,21 @@ dissect_btrfcomm(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 
                switch(mcc_type) {
                case 0x20: /* Parameter Negotiation */
-                       if ((check_col(pinfo->cinfo, COL_INFO))){
-                               col_append_str(pinfo->cinfo, COL_INFO, "Parameter Negotiation ");
-                       }
+                       col_append_str(pinfo->cinfo, COL_INFO, "Parameter Negotiation ");
                        dissect_ctrl_pn(pinfo, ctrl_tree, tvb, offset, mcc_cr_flag);
                        break;
                case 0x38: /* Model Status Command */
-                       if ((check_col(pinfo->cinfo, COL_INFO))){
-                               col_append_str(pinfo->cinfo, COL_INFO, "Model Status Command ");
-                       }
+                       col_append_str(pinfo->cinfo, COL_INFO, "Model Status Command ");
                        dissect_ctrl_msc(ctrl_tree, tvb, offset, length);
                        break;
                }
                offset += length;
 
+               if (offset < start_offset) {
+                       expert_add_info_format(pinfo, ctrl_tree, PI_MALFORMED, PI_ERROR, "Huge MCC length: %u", length);
+                       return;
+               }
+
                proto_item_set_len(mcc_ti, offset-start_offset);
        }