diff options
author | Evan Huus <eapache@gmail.com> | 2014-10-13 12:55:40 -0400 |
---|---|---|
committer | Evan Huus <eapache@gmail.com> | 2014-10-13 16:59:51 +0000 |
commit | b9988e2bbfc7c6c41ef82c559bd11a8c19170491 (patch) | |
tree | a174fbd00087629027e297ae053bda9563b27e45 | |
parent | 8fb74b4a6847990aab841d3eaf43cd2d9669cd3b (diff) |
ncp2222: don't overflow buffer constructing string
Fixes stack-smashing vuln.
Somehow there was already an XXX in the code about this, but nobody realized at
the time it was worth fixing... really?
Bug: 10552
Change-Id: I849068bd6c45146339444f295b72430d3c6e08f2
Reviewed-on: https://code.wireshark.org/review/4653
Reviewed-by: Evan Huus <eapache@gmail.com>
-rw-r--r-- | epan/dissectors/packet-ncp2222.inc | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/epan/dissectors/packet-ncp2222.inc b/epan/dissectors/packet-ncp2222.inc index 0fa0d25d35..2dab4d0e87 100644 --- a/epan/dissectors/packet-ncp2222.inc +++ b/epan/dissectors/packet-ncp2222.inc @@ -2755,8 +2755,7 @@ build_expert_data(proto_tree *ncp_tree, const char *hf_name, char *buffer, case 18: case 19: case 20: /* string */ - /* XXX: Should we verify: buffer_size is as large as value returned by get_finfo_length(...) ??? */ - uni_to_string(get_finfo_value_string(PTREE_FINFO(tree_pointer)), get_finfo_length(PTREE_FINFO(tree_pointer)), buffer); + uni_to_string(get_finfo_value_string(PTREE_FINFO(tree_pointer)), MIN(get_finfo_length(PTREE_FINFO(tree_pointer)), buffer_size), buffer); if (repeat_lookup > 0) { if (strlen(temp_buffer) + strlen(buffer) < 250) { g_strlcat(temp_buffer, buffer, 256); |