Make the MCC length check a little more picky.

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@30937 f5534014-38df-0310-8fa8-9805f1628bb7

diff --git a/epan/dissectors/packet-btrfcomm.c b/epan/dissectors/packet-btrfcomm.c
index a9782e8e65fb0c91aa84643b733d0e83698ab23e..07ccea0ad791a11212b8f31d3b32011e004621f1 100644 (file)
--- a/epan/dissectors/packet-btrfcomm.c
+++ b/epan/dissectors/packet-btrfcomm.c
@@ -692,6 +692,12 @@ dissect_btrfcomm(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
                /* len */
                offset = get_le_multi_byte_value(tvb, offset, ctrl_tree, &length, hf_mcc_len);
 
+
+               if (length > (guint32) tvb_length_remaining(tvb, offset)) {
+                       expert_add_info_format(pinfo, ctrl_tree, PI_MALFORMED, PI_ERROR, "Huge MCC length: %u", length);
+                       return;
+               }
+
                switch(mcc_type) {
                case 0x20: /* Parameter Negotiation */
                        col_append_str(pinfo->cinfo, COL_INFO, "Parameter Negotiation ");
@@ -704,11 +710,6 @@ dissect_btrfcomm(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
                }
                offset += length;
 
-               if (offset < start_offset) {
-                       expert_add_info_format(pinfo, ctrl_tree, PI_MALFORMED, PI_ERROR, "Huge MCC length: %u", length);
-                       return;
-               }
-
                proto_item_set_len(mcc_ti, offset-start_offset);
        }