diff options
author | Guy Harris <guy@alum.mit.edu> | 2014-12-07 12:17:48 -0800 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2014-12-07 20:18:26 +0000 |
commit | 212ba58fdcb3dc21bbddca7596fa799ee2589b46 (patch) | |
tree | 9ac002d9a6836d0caa2662c550d03d67ee3361b9 /wiretap | |
parent | 5f79940d6c1f77d99366b3c6f7004ac394a437c4 (diff) |
Add checks for non-null-terminated strings.
Change-Id: Iaad2d2f76e5d554800ba2c79d5c01f4b9da6fa0b
Reviewed-on: https://code.wireshark.org/review/5660
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Diffstat (limited to 'wiretap')
-rw-r--r-- | wiretap/k12.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/wiretap/k12.c b/wiretap/k12.c index fcf968f81d..955c8387c3 100644 --- a/wiretap/k12.c +++ b/wiretap/k12.c @@ -1043,12 +1043,20 @@ wtap_open_return_val k12_open(wtap *wth, int *err, gchar **err_info) { } } - /* XXX - this is assumed, in a number of places (not just in the - ascii_strdown_inplace() call below) to be null-terminated; - is that guaranteed (even with a corrupt file)? - Obviously not, as a corrupt file could contain anything - here; the Tektronix document says the strings "must end - with \0", but a bad file could fail to add the \0. */ + if (read_buffer[K12_SRCDESC_HWPART + hwpart_len + name_len - 1] != '\0') { + *err = WTAP_ERR_BAD_FILE; + *err_info = g_strdup("k12_open: source descriptor record contains non-null-terminated link-layer name"); + destroy_k12_file_data(file_data); + g_free(rec); + return WTAP_OPEN_ERROR; + } + if (read_buffer[K12_SRCDESC_HWPART + hwpart_len + name_len + stack_len - 1] != '\0') { + *err = WTAP_ERR_BAD_FILE; + *err_info = g_strdup("k12_open: source descriptor record contains non-null-terminated stack path"); + destroy_k12_file_data(file_data); + g_free(rec); + return WTAP_OPEN_ERROR; + } rec->input_name = (gchar *)g_memdup(read_buffer + K12_SRCDESC_HWPART + hwpart_len, name_len); rec->stack_file = (gchar *)g_memdup(read_buffer + K12_SRCDESC_HWPART + hwpart_len + name_len, stack_len); |