From Johan Kristell:
authorjake <jake@f5534014-38df-0310-8fa8-9805f1628bb7>
Mon, 31 Jan 2011 22:31:05 +0000 (22:31 +0000)
committerjake <jake@f5534014-38df-0310-8fa8-9805f1628bb7>
Mon, 31 Jan 2011 22:31:05 +0000 (22:31 +0000)
In the standard 802.3at-2009 the PoE+ TLVs are 12 bytes long, but in the
earlier version 802.3bc-2009, they are 7 bytes long (the power type/
source/priority, and the requested and allocated fields are lacking).
Not respecting the length of the TLV leads to wireshark displaying garbage
data and could lead to reading outside of buffer.

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@35737 f5534014-38df-0310-8fa8-9805f1628bb7

epan/dissectors/packet-lldp.c

index 7f0f2dae7a695680579a43c9915d69e21509ea81..817b91debaf3784c67a222dc55b38a4c0eae1dc8 100644 (file)
@@ -1346,7 +1346,7 @@ dissect_ieee_802_1_tlv(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
 
 /* Dissect IEEE 802.3 TLVs */
 static void
-dissect_ieee_802_3_tlv(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 offset)
+dissect_ieee_802_3_tlv(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, guint32 offset, guint16 tlvLen)
 {
        guint8 subType;
        guint8 tempByte;
@@ -1624,6 +1624,9 @@ dissect_ieee_802_3_tlv(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
 
                tempOffset++;
 
+               if (tlvLen == 4)
+                       break;
+
                /* Get first byte */
                tempByte = tvb_get_guint8(tvb, tempOffset);
 
@@ -2542,7 +2545,7 @@ dissect_organizational_specific_tlv(tvbuff_t *tvb, packet_info *pinfo, proto_tre
                dissect_ieee_802_1_tlv(tvb, pinfo, org_tlv_tree, (offset+5));
                break;
        case OUI_IEEE_802_3:
-               dissect_ieee_802_3_tlv(tvb, pinfo, org_tlv_tree, (offset+5));
+               dissect_ieee_802_3_tlv(tvb, pinfo, org_tlv_tree, (offset+5), (guint16) (tempLen-3));
                break;
        case OUI_MEDIA_ENDPOINT:
                dissect_media_tlv(tvb, pinfo, org_tlv_tree, (offset+5), (guint16) (tempLen-3));