From b9988e2bbfc7c6c41ef82c559bd11a8c19170491 Mon Sep 17 00:00:00 2001
From: Evan Huus <eapache@gmail.com>
Date: Mon, 13 Oct 2014 12:55:40 -0400
Subject: ncp2222: don't overflow buffer constructing string

Fixes stack-smashing vuln.

Somehow there was already an XXX in the code about this, but nobody realized at
the time it was worth fixing... really?

Bug: 10552
Change-Id: I849068bd6c45146339444f295b72430d3c6e08f2
Reviewed-on: https://code.wireshark.org/review/4653
Reviewed-by: Evan Huus <eapache@gmail.com>
---
 epan/dissectors/packet-ncp2222.inc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/epan/dissectors/packet-ncp2222.inc b/epan/dissectors/packet-ncp2222.inc
index 0fa0d25d35..2dab4d0e87 100644
--- a/epan/dissectors/packet-ncp2222.inc
+++ b/epan/dissectors/packet-ncp2222.inc
@@ -2755,8 +2755,7 @@ build_expert_data(proto_tree *ncp_tree, const char *hf_name, char *buffer,
             case 18:
             case 19:
             case 20:            /* string */
-                /* XXX: Should we verify: buffer_size is as large as value returned by get_finfo_length(...)  ???      */
-                uni_to_string(get_finfo_value_string(PTREE_FINFO(tree_pointer)), get_finfo_length(PTREE_FINFO(tree_pointer)), buffer);
+                uni_to_string(get_finfo_value_string(PTREE_FINFO(tree_pointer)), MIN(get_finfo_length(PTREE_FINFO(tree_pointer)), buffer_size), buffer);
                 if (repeat_lookup > 0) {
                     if (strlen(temp_buffer) + strlen(buffer) < 250) {
                         g_strlcat(temp_buffer, buffer, 256);
-- 
cgit v1.2.3