ntlmssp: swap bounds check and length for memcpy

The values make more sense swapped (and the code is super-old) so I'm assuming this was just a long-uncaught typo. Fixes a valgrind error at any rate. Also replace a malloc+memcpy with a memdup for simplicity. Bug: 11203 Change-Id: I74c0aff548b844cf90610db56a143f3eac172658 Reviewed-on: https://code.wireshark.org/review/8493 Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Evan Huus <eapache@gmail.com>
author: Evan Huus <eapache@gmail.com> 2015-05-17 10:31:38 -0400
committer: Evan Huus <eapache@gmail.com> 2015-05-18 01:57:54 +0000
commit: 4a4871a831bd32fc5b28ec4dd25b52ee4d54e22a (patch)
tree: db176e1aeb425c70530d8e17a53b8c354f23c596 /epan/dissectors/packet-ntlmssp.c
parent: d934d40f96534419ed7e92f5260158f69d601f9c (diff)
1 files changed, 4 insertions, 5 deletions
diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c
index 7a41989c85..0646557726 100644
--- a/epan/dissectors/packet-ntlmssp.c
+++ b/epan/dissectors/packet-ntlmssp.c
@@ -981,11 +981,10 @@ dissect_ntlmssp_blob (tvbuff_t *tvb, packet_info *pinfo,
   *end = blob_offset + blob_length;
 
   if (result != NULL) {
-    result->length = blob_length;
     if (blob_length < MAX_BLOB_SIZE)
     {
-      result->contents = (guint8 *)wmem_alloc(wmem_file_scope(), blob_length);
-      tvb_memcpy(tvb, result->contents, blob_offset, blob_length);
+      result->length = blob_length;
+      result->contents = (guint8 *)tvb_memdup(wmem_file_scope(), tvb, blob_offset, blob_length);
       if (blob_hf == hf_ntlmssp_auth_lmresponse &&
           !(tvb_memeql(tvb, blob_offset+8, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", NTLMSSP_KEY_LEN)))
       {
@@ -1644,8 +1643,8 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset,
                                 &item_end,
                                 conv_ntlmssp_info == NULL ? NULL :
                                 &conv_ntlmssp_info->ntlm_response);
-  if (conv_ntlmssp_info != NULL && conv_ntlmssp_info->ntlm_response.length > 24) {
-    memcpy(conv_ntlmssp_info->client_challenge, conv_ntlmssp_info->ntlm_response.contents+32, 8);
+  if (conv_ntlmssp_info != NULL && conv_ntlmssp_info->ntlm_response.length >= 32) {
+    memcpy(conv_ntlmssp_info->client_challenge, conv_ntlmssp_info->ntlm_response.contents+24, 8);
   }
   data_start = MIN(data_start, item_start);
   data_end = MAX(data_end, item_end);
author	Evan Huus <eapache@gmail.com>	2015-05-17 10:31:38 -0400
committer	Evan Huus <eapache@gmail.com>	2015-05-18 01:57:54 +0000
commit	4a4871a831bd32fc5b28ec4dd25b52ee4d54e22a (patch)
tree	db176e1aeb425c70530d8e17a53b8c354f23c596 /epan/dissectors/packet-ntlmssp.c
parent	d934d40f96534419ed7e92f5260158f69d601f9c (diff)