Fixed a possible buffer overflow in dissect_fmp_flushCmd() when cmd has

all bits set. svn path=/trunk/; revision=24248
author: Stig Bjørlykke <stig@bjorlykke.org> 2008-02-02 17:17:16 +0000
committer: Stig Bjørlykke <stig@bjorlykke.org> 2008-02-02 17:17:16 +0000
commit: f4871e6269b60873a2a82db5f8c88ef8228d9c1b (patch)
tree: 6ee344eb22300e4885a8eed1422390e8c5ccc0cc /epan/dissectors/packet-fmp.c
parent: dc1f6dc4246c001510c6512503b7714d92f0666e (diff)
1 files changed, 10 insertions, 9 deletions
diff --git a/epan/dissectors/packet-fmp.c b/epan/dissectors/packet-fmp.c
index 326035e789..3d72d478f6 100644
--- a/epan/dissectors/packet-fmp.c
+++ b/epan/dissectors/packet-fmp.c
@@ -463,7 +463,7 @@ dissect_fmp_flushCmd(tvbuff_t *tvb, int offset,  proto_tree *tree)
 
 	/* Initialize the message for an empty string */
 	msgIndex = msg;
-	strcpy(msgIndex, "No command specified");
+	strncpy(msgIndex, "No command specified", MAX_MSG_SIZE);
 
 	for (i = 0; cmd != 0 && i < 32; i++) {
 
@@ -472,31 +472,31 @@ dissect_fmp_flushCmd(tvbuff_t *tvb, int offset,  proto_tree *tree)
 		if (cmd & bitValue) {
 			switch (bitValue) {
 			case FMP_COMMIT_SPECIFIED:
-				strcpy(msgIndex, "COMMIT_SPECIFIED");
+				strncpy(msgIndex, "COMMIT_SPECIFIED", MAX_MSG_SIZE - strlen(msg));
 				msgIndex += strlen("COMMIT_SPECIFIED");
 				break;
 			case FMP_RELEASE_SPECIFIED:
-				strcpy(msgIndex, "RELEASE_SPECIFIED");
+				strncpy(msgIndex, "RELEASE_SPECIFIED", MAX_MSG_SIZE - strlen(msg));
 				msgIndex += strlen("RELEASE_SPECIFIED");
 				break;
 			case FMP_RELEASE_ALL:
-				strcpy(msgIndex, "RELEASE_ALL");
+				strncpy(msgIndex, "RELEASE_ALL", MAX_MSG_SIZE - strlen(msg));
 				msgIndex += strlen("RELEASE_ALL");
 				break;
 			case FMP_CLOSE_FILE:
-				strcpy(msgIndex, "CLOSE_FILE");
+				strncpy(msgIndex, "CLOSE_FILE", MAX_MSG_SIZE - strlen(msg));
 				msgIndex += strlen("CLOSE_FILE");
 				break;
 			case FMP_UPDATE_TIME:
-				strcpy(msgIndex, "UPDATE_TIME");
+				strncpy(msgIndex, "UPDATE_TIME", MAX_MSG_SIZE - strlen(msg));
 				msgIndex += strlen("UPDATE_TIME");
 				break;
 			case FMP_ACCESS_TIME:
-				strcpy(msgIndex, "ACCESS_TIME");
+				strncpy(msgIndex, "ACCESS_TIME", MAX_MSG_SIZE - strlen(msg));
 				msgIndex += strlen("ACCESS_TIME");
 				break;
 			default:
-				strcpy(msgIndex, "UNKNOWN");
+				strncpy(msgIndex, "UNKNOWN", MAX_MSG_SIZE - strlen(msg));
 				msgIndex += strlen("UNKNOWN");
 				break;
 			}
@@ -506,11 +506,12 @@ dissect_fmp_flushCmd(tvbuff_t *tvb, int offset,  proto_tree *tree)
 	
 			/* add a "bitwise inclusive OR" symbol between cmds */
 			if (cmd) {
-				strcpy(msgIndex, " | ");
+				strncpy(msgIndex, " | ", MAX_MSG_SIZE - strlen(msg));
 				msgIndex += strlen(" | ");
 			}
 		}
 	}
+	msg[MAX_MSG_SIZE-1] = '\0';
 
 	proto_tree_add_text(tree, tvb, offset, 4, "Cmd: %s", msg);
 	offset += 4;
author	Stig Bjørlykke <stig@bjorlykke.org>	2008-02-02 17:17:16 +0000
committer	Stig Bjørlykke <stig@bjorlykke.org>	2008-02-02 17:17:16 +0000
commit	f4871e6269b60873a2a82db5f8c88ef8228d9c1b (patch)
tree	6ee344eb22300e4885a8eed1422390e8c5ccc0cc /epan/dissectors/packet-fmp.c
parent	dc1f6dc4246c001510c6512503b7714d92f0666e (diff)