diff options
author | Peter Wu <peter@lekensteyn.nl> | 2018-05-14 17:29:52 +0200 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2018-05-15 10:30:36 +0000 |
commit | 48fac2a18debb2969413e03f3d88bbb9c31500ae (patch) | |
tree | a2f5ff4250a8caec01ab18ab8c8ded1a11230880 /epan | |
parent | 171d92cc148ee782fe5c900e11a1d8976ca77662 (diff) |
gsm_a_dtap: fix off-by-one buffer overflow (write)
The output buffer needs one more byte for the string terminator.
Bug: 14688
Change-Id: I7d606aa8fb769fd65ba894f0472ada3543a1e3cd
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6420
Reviewed-on: https://code.wireshark.org/review/27539
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-gsm_a_dtap.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/dissectors/packet-gsm_a_dtap.c b/epan/dissectors/packet-gsm_a_dtap.c index 9c100a45c9..d15e219301 100644 --- a/epan/dissectors/packet-gsm_a_dtap.c +++ b/epan/dissectors/packet-gsm_a_dtap.c @@ -2334,7 +2334,7 @@ de_sub_addr(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, { ia5_string_len = len - (curr_offset - offset); ia5_string = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, curr_offset, ia5_string_len); - *extracted_address = (gchar *)wmem_alloc(wmem_packet_scope(), ia5_string_len); + *extracted_address = (gchar *)wmem_alloc(wmem_packet_scope(), ia5_string_len + 1); invalid_ia5_char = FALSE; for(i = 0; i < ia5_string_len; i++) |