Wireshark-commits: [Wireshark-commits] master-2.6 99d27a5: rtcp: fix buffer overflow in transport-c
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Mon, 14 May 2018 14:45:59 +0000
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=99d27a5fd2c540f837154aca3b3647f5ccfa0c33
Submitter: Peter Wu (peter@xxxxxxxxxxxxx)
Changed: branch: master-2.6
Repository: wireshark

Commits:

99d27a5 by Peter Wu (peter@xxxxxxxxxxxxx):

    rtcp: fix buffer overflow in transport-cc dissection
    
    When the packet status chunks cover more packets than advertised in the
    packet status count field, fail rather than writing past the end.
    https://tools.ietf.org/html/draft-holmer-rmcat-transport-wide-cc-extensions-01#section-3.1.2
    
    Bug: 14673
    Change-Id: If90baef3610d8f884b0772a4b81d6dcb4ebc9227
    Fixes: v2.5.0rc0-2533-ga584eab239 ("New RTCP dissector for transport-cc")
    Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6464
    Reviewed-on: https://code.wireshark.org/review/27527
    Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Rui Zhang <rzhang@xxxxxxxxxxxxxx>
    Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
    (cherry picked from commit 4413d43962e1aed72a285ae8fb68780bb64a11fe)
    Reviewed-on: https://code.wireshark.org/review/27536
    

Actions performed:

    from  b82a9a3   tvbuff: make tvb_bytes_exist fail with negative values
    adds  99d27a5   rtcp: fix buffer overflow in transport-cc dissection


Summary of changes:
 epan/dissectors/packet-rtcp.c | 41 +++++++++++++++++++++++++++++------------
 1 file changed, 29 insertions(+), 12 deletions(-)