aboutsummaryrefslogtreecommitdiffstats
path: root/wiretap
diff options
context:
space:
mode:
authorGuy Harris <guy@alum.mit.edu>2014-12-07 12:17:48 -0800
committerGuy Harris <guy@alum.mit.edu>2014-12-07 20:18:26 +0000
commit212ba58fdcb3dc21bbddca7596fa799ee2589b46 (patch)
tree9ac002d9a6836d0caa2662c550d03d67ee3361b9 /wiretap
parent5f79940d6c1f77d99366b3c6f7004ac394a437c4 (diff)
Add checks for non-null-terminated strings.
Change-Id: Iaad2d2f76e5d554800ba2c79d5c01f4b9da6fa0b Reviewed-on: https://code.wireshark.org/review/5660 Reviewed-by: Guy Harris <guy@alum.mit.edu>
Diffstat (limited to 'wiretap')
-rw-r--r--wiretap/k12.c20
1 files changed, 14 insertions, 6 deletions
diff --git a/wiretap/k12.c b/wiretap/k12.c
index fcf968f81d..955c8387c3 100644
--- a/wiretap/k12.c
+++ b/wiretap/k12.c
@@ -1043,12 +1043,20 @@ wtap_open_return_val k12_open(wtap *wth, int *err, gchar **err_info) {
}
}
- /* XXX - this is assumed, in a number of places (not just in the
- ascii_strdown_inplace() call below) to be null-terminated;
- is that guaranteed (even with a corrupt file)?
- Obviously not, as a corrupt file could contain anything
- here; the Tektronix document says the strings "must end
- with \0", but a bad file could fail to add the \0. */
+ if (read_buffer[K12_SRCDESC_HWPART + hwpart_len + name_len - 1] != '\0') {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("k12_open: source descriptor record contains non-null-terminated link-layer name");
+ destroy_k12_file_data(file_data);
+ g_free(rec);
+ return WTAP_OPEN_ERROR;
+ }
+ if (read_buffer[K12_SRCDESC_HWPART + hwpart_len + name_len + stack_len - 1] != '\0') {
+ *err = WTAP_ERR_BAD_FILE;
+ *err_info = g_strdup("k12_open: source descriptor record contains non-null-terminated stack path");
+ destroy_k12_file_data(file_data);
+ g_free(rec);
+ return WTAP_OPEN_ERROR;
+ }
rec->input_name = (gchar *)g_memdup(read_buffer + K12_SRCDESC_HWPART + hwpart_len, name_len);
rec->stack_file = (gchar *)g_memdup(read_buffer + K12_SRCDESC_HWPART + hwpart_len + name_len, stack_len);