Improve sanity checking of reception claim count. Fixes bug 5521.

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@35287 f5534014-38df-0310-8fa8-9805f1628bb7

diff --git a/epan/dissectors/packet-ltp.c b/epan/dissectors/packet-ltp.c
index 08b192c2641bf728daf66130625b28b3d5173e3c..1fd47bb0650489f02277e909d42183d370593f1b 100644 (file)
--- a/epan/dissectors/packet-ltp.c
+++ b/epan/dissectors/packet-ltp.c
@@ -431,14 +431,14 @@ dissect_report_segment(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ltp_tree,
        }
 
        rcpt_clm_cnt = evaluate_sdnv(tvb,frame_offset + segment_offset, &rcpt_clm_cnt_size);
-       if (rcpt_clm_cnt < 0){
-               expert_add_info_format(pinfo, ltp_tree, PI_UNDECODED, PI_ERROR, "Negative reception claim count: %d", rcpt_clm_cnt);
-               return 0;
-       }
        segment_offset += rcpt_clm_cnt_size;
        if((unsigned)(frame_offset + segment_offset) > tvb_length(tvb)){
                return 0;
        }
+       if ((rcpt_clm_cnt < 0) || (rcpt_clm_cnt > (tvb_reported_length_remaining(tvb, frame_offset + segment_offset) / 2))){
+               expert_add_info_format(pinfo, ltp_tree, PI_UNDECODED, PI_ERROR, "Non-sensical reception claim count: %d", rcpt_clm_cnt);
+               return 0;
+       }
 
        offset = ep_alloc(sizeof(guint64) * rcpt_clm_cnt);
        offset_size = ep_alloc(sizeof(int) * rcpt_clm_cnt);