From 01e6542ed54102c60310bdf84c7da690c4f5f6d6 Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Sat, 10 May 2003 01:57:53 +0000 Subject: Use "tvb_ensure_bytes_exist()" to cause an exception to be thrown *before* attempting to allocate a buffer for a string, if the copy into the buffer will thrown an exception; that prevents us from 1) leaking memory if we can allocate the buffer (we'd throw an exception before we freed the buffer); 2) crashing if we can't allocate the buffer because the length is bogus and large. svn path=/trunk/; revision=7658 --- packet-dcerpc.c | 53 +++++++++++++++++++++++++++++++---------------------- 1 file changed, 31 insertions(+), 22 deletions(-) (limited to 'packet-dcerpc.c') diff --git a/packet-dcerpc.c b/packet-dcerpc.c index 955081763a..3a01499421 100644 --- a/packet-dcerpc.c +++ b/packet-dcerpc.c @@ -2,7 +2,7 @@ * Routines for DCERPC packet disassembly * Copyright 2001, Todd Sabin * - * $Id: packet-dcerpc.c,v 1.118 2003/05/08 19:26:08 guy Exp $ + * $Id: packet-dcerpc.c,v 1.119 2003/05/10 01:57:53 guy Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs @@ -1016,29 +1016,38 @@ dissect_ndr_cvstring(tvbuff_t *tvb, int offset, packet_info *pinfo, offset += size_is - (offset % size_is); if (size_is == sizeof(guint16)) { - /* XXX - use drep to determine the byte order? */ - s = tvb_fake_unicode(tvb, offset, buffer_len / 2, TRUE); - /* - * XXX - we don't support a string type with Unicode - * characters, so if this is a string item, we make - * its value be the "fake Unicode" string. - */ - if (tree && buffer_len) { - hfinfo = proto_registrar_get_nth(hfindex); - if (hfinfo->type == FT_STRING) { - proto_tree_add_string(string_tree, hfindex, tvb, offset, - buffer_len, s); - } else { - proto_tree_add_item(string_tree, hfindex, tvb, offset, - buffer_len, drep[0] & 0x10); - } - } - } else { - s = g_malloc(buffer_len + 1); - tvb_memcpy(tvb, s, offset, buffer_len); - if (tree && buffer_len) + /* XXX - use drep to determine the byte order? */ + s = tvb_fake_unicode(tvb, offset, buffer_len / 2, TRUE); + /* + * XXX - we don't support a string type with Unicode + * characters, so if this is a string item, we make + * its value be the "fake Unicode" string. + */ + if (tree && buffer_len) { + hfinfo = proto_registrar_get_nth(hfindex); + if (hfinfo->type == FT_STRING) { + proto_tree_add_string(string_tree, hfindex, tvb, offset, + buffer_len, s); + } else { proto_tree_add_item(string_tree, hfindex, tvb, offset, buffer_len, drep[0] & 0x10); + } + } + } else { + /* + * First, make sure the entire string is in the tvbuff, and throw + * an exception if it isn't. If the length is bogus, this should + * keep us from trying to allocate an immensely large buffer. + * (It won't help if the length is *valid* but immensely large, + * but that's another matter; in any case, that would happen only + * if we had an immensely large tvbuff....) + */ + tvb_ensure_bytes_exist(tvb, offset, buffer_len); + s = g_malloc(buffer_len + 1); + tvb_memcpy(tvb, s, offset, buffer_len); + if (tree && buffer_len) + proto_tree_add_item(string_tree, hfindex, tvb, offset, + buffer_len, drep[0] & 0x10); } if (string_item != NULL) -- cgit v1.2.3