gsm_a_dtap: fix off-by-one buffer overflow (write)

The output buffer needs one more byte for the string terminator. Bug: 14688 Change-Id: I7d606aa8fb769fd65ba894f0472ada3543a1e3cd Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6420 Reviewed-on: https://code.wireshark.org/review/27539 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Anders Broman <a.broman58@gmail.com>
author: Peter Wu <peter@lekensteyn.nl> 2018-05-14 17:29:52 +0200
committer: Anders Broman <a.broman58@gmail.com> 2018-05-15 10:30:36 +0000
commit: 48fac2a18debb2969413e03f3d88bbb9c31500ae (patch)
tree: a2f5ff4250a8caec01ab18ab8c8ded1a11230880 /epan
parent: 171d92cc148ee782fe5c900e11a1d8976ca77662 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/dissectors/packet-gsm_a_dtap.c b/epan/dissectors/packet-gsm_a_dtap.c
index 9c100a45c9..d15e219301 100644
--- a/epan/dissectors/packet-gsm_a_dtap.c
+++ b/epan/dissectors/packet-gsm_a_dtap.c
@@ -2334,7 +2334,7 @@ de_sub_addr(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset,
         {
             ia5_string_len = len - (curr_offset - offset);
             ia5_string = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, curr_offset, ia5_string_len);
-            *extracted_address = (gchar *)wmem_alloc(wmem_packet_scope(), ia5_string_len);
+            *extracted_address = (gchar *)wmem_alloc(wmem_packet_scope(), ia5_string_len + 1);
 
             invalid_ia5_char = FALSE;
             for(i = 0; i < ia5_string_len; i++)
author	Peter Wu <peter@lekensteyn.nl>	2018-05-14 17:29:52 +0200
committer	Anders Broman <a.broman58@gmail.com>	2018-05-15 10:30:36 +0000
commit	48fac2a18debb2969413e03f3d88bbb9c31500ae (patch)
tree	a2f5ff4250a8caec01ab18ab8c8ded1a11230880 /epan
parent	171d92cc148ee782fe5c900e11a1d8976ca77662 (diff)