From: jmayer <jmayer@f5534014-38df-0310-8fa8-9805f1628bb7>
Date: Sat, 27 Aug 2011 11:06:50 +0000 (+0000)
Subject: Stengthen the heuristics a bit (aka don't misclassify some of
X-Git-Url: http://git.samba.org/samba.git/?p=obnox%2Fwireshark%2Fwip.git;a=commitdiff_plain;h=9d518ddac7e6163b4a9f4318ba11790866ed692e

Stengthen the heuristics a bit (aka don't misclassify some of
my capture data as rpcap). Someone with more knowledge of the
format might want to look at this (I added FIXMEs).


git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@38754 f5534014-38df-0310-8fa8-9805f1628bb7
---

diff --git a/epan/dissectors/packet-rpcap.c b/epan/dissectors/packet-rpcap.c
index 7dff0bfb8b..357e58938e 100644
--- a/epan/dissectors/packet-rpcap.c
+++ b/epan/dissectors/packet-rpcap.c
@@ -893,7 +893,7 @@ check_rpcap_heur (tvbuff_t *tvb, gboolean tcp)
   gint offset = 0;
   guint8 version, msg_type;
   guint16 msg_value;
-  guint32 plen, len;
+  guint32 plen, len, caplen;
 
   if (tvb_length (tvb) < 8)
     /* Too short */
@@ -928,6 +928,10 @@ check_rpcap_heur (tvbuff_t *tvb, gboolean tcp)
   offset += 2;
 
   plen = tvb_get_ntohl (tvb, offset);
+  /* FIXME: What is the maximum value that can really be seen here? */
+  if (plen > 10000)
+    return FALSE;
+
   offset += 4;
   len = (guint32) tvb_length_remaining (tvb, offset);
 
@@ -966,7 +970,9 @@ check_rpcap_heur (tvbuff_t *tvb, gboolean tcp)
       return FALSE;
 
     /* Check if capture length is valid */
-    if (tvb_get_ntohl (tvb, offset+8) > len)
+    caplen = tvb_get_ntohl (tvb, offset+8);
+    /* FIXME: Are there cases where a length of 0 may be valid? */
+    if (caplen > len || caplen == 0)
       return FALSE;
     break;