From c9d05548405c6cc5c58dbede2e531c46732e009a Mon Sep 17 00:00:00 2001 From: Gerald Combs Date: Mon, 28 Aug 2017 10:30:05 -0700 Subject: PNIO: Fix another potential OOB write. Bug: 13847 Change-Id: I62bb519b8e37112a59a7d209b39780f034dbcd0c Reviewed-on: https://code.wireshark.org/review/23267 Reviewed-by: Gerald Combs Petri-Dish: Gerald Combs Tested-by: Petri Dish Buildbot Reviewed-by: Michael Mann --- plugins/profinet/packet-dcerpc-pn-io.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'plugins') diff --git a/plugins/profinet/packet-dcerpc-pn-io.c b/plugins/profinet/packet-dcerpc-pn-io.c index a716eaf106..fd1bb51ad9 100644 --- a/plugins/profinet/packet-dcerpc-pn-io.c +++ b/plugins/profinet/packet-dcerpc-pn-io.c @@ -9403,7 +9403,8 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset, /* Initial */ io_data_object = wmem_new0(wmem_file_scope(), ioDataObject); io_data_object->profisafeSupported = FALSE; - io_data_object->moduleNameStr = wmem_strdup(wmem_file_scope(), "Unknown"); + io_data_object->moduleNameStr = (gchar*)wmem_alloc(wmem_file_scope(), MAX_NAMELENGTH); + g_strlcpy(io_data_object->moduleNameStr, "Unknown", MAX_NAMELENGTH); vendorMatch = FALSE; deviceMatch = FALSE; gsdmlFoundFlag = FALSE; @@ -9639,7 +9640,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset, /* Find a String with the saved TextID and with a fitting value for it in the same line. This value is the name of the Module! */ if(((strstr(temp, tmp_moduletext)) != NULL) && ((strstr(temp, moduleValueInfo)) != NULL)) { pch = strstr(temp, moduleValueInfo); - if (pch != NULL && sscanf(pch, "Value=\"%[^\"]", io_data_object->moduleNameStr) == 1) + if (pch != NULL && sscanf(pch, "Value=\"%199[^\"]", io_data_object->moduleNameStr) == 1) break; /* Found the name of the module */ } } -- cgit v1.2.3