LDSS: Fix a read overrun in dissect_ldss_transfer.

dissect_ldss_transfer had a trivial read overrun: "line" was not
NUL-terminated, and strtol/g_ascii_strtoull will keep reading and discarding
any leading whitespace, so a malformed LDSS packet (with only whitespace
characters following the tag on a "Size:"/"Start:"/"Compression:" line) could
trigger a read overrun.

Let's replace the tvb_memdup with tvb_get_string_enc, which does some checking
of the input characters (which, it seems, must always be ASCII), and produces a
neat NUL-terminated string.

Testing Done: On Linux x64, ran "valgrind tshark -r fuzz-2018-04-23-14422.pcap"
   without the fix (to reproduce the failure), and then with the fix, and
   observed that no errors were reported anymore after the fix. 60,000 iters of
   fuzz-test with ldss_filtered.pcap as input, plus 1,000 iters under valgrind.
   Launched wireshark and opened ldss_filtered.pcap, and examined the dissection
   of the "ldss and tcp" packets; All looks good.

Bug: 14615
Change-Id: I3fccc4ffbe315a3cff6ea03cc7db37f884b0582c
Reviewed-on: https://code.wireshark.org/review/27204
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>

1 files changed, 1 insertions, 1 deletions

diff --git a/epan/dissectors/packet-ldss.c b/epan/dissectors/packet-ldss.c
index 3207edc71a..c53e406b84 100644
--- a/epan/dissectors/packet-ldss.c
+++ b/epan/dissectors/packet-ldss.c
@@ -496,7 +496,7 @@ dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void
 			linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
 
 			/* Include new-line in line */
-			line = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, offset, linelen+1); /* XXX - memory leak? */
+			line = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, linelen, ENC_ASCII);
 
 			line_tree = proto_tree_add_subtree(ldss_tree, tvb, offset, linelen,
 							 ett_ldss_transfer_req, NULL,