diff options
author | Gerald Combs <gerald@wireshark.org> | 2003-04-28 04:03:26 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2003-04-28 04:03:26 +0000 |
commit | b2f936ff24129c4f40b62f2a4a5410a24ad45ab4 (patch) | |
tree | 44d90873362accb56c2c3d2eecab7c63e06ea5d9 /epan/tvbuff.c | |
parent | 4b4b030e514b884aaa0d50ba2fe5df830e78f5b0 (diff) |
Fix several buffer and integer overflow issues discovered by Timo Sirainen.
tvbuff.c:
Lots of existing code assumes that you can safely do the following:
#define MAX_BUF 64
guint8 *buf[MAX_BUF];
...
tvb_get_nstringz0 (tvb, offset, MAX_BUF, buf, &bytes_copied);
In reality, tvb_get_nstringz*() can potentially write one byte past
"buf". Modify _tvb_get_nstringz() not to do that.
packet-ppp.c:
Check for a valid BAP suboption length.
packet-mount.c:
Fix a possible integer overflow in dissect_group().
svn path=/trunk/; revision=7590
Diffstat (limited to 'epan/tvbuff.c')
-rw-r--r-- | epan/tvbuff.c | 34 |
1 files changed, 22 insertions, 12 deletions
diff --git a/epan/tvbuff.c b/epan/tvbuff.c index 4e8a2c2f0d..e45aac3c1e 100644 --- a/epan/tvbuff.c +++ b/epan/tvbuff.c @@ -9,7 +9,7 @@ * the data of a backing tvbuff, or can be a composite of * other tvbuffs. * - * $Id: tvbuff.c,v 1.41 2003/02/24 01:22:26 guy Exp $ + * $Id: tvbuff.c,v 1.42 2003/04/28 04:03:26 gerald Exp $ * * Copyright (c) 2000 by Gilbert Ramirez <gram@alumni.rice.edu> * @@ -1674,10 +1674,10 @@ tvb_format_text(tvbuff_t *tvb, gint offset, gint size) } /* Looks for a stringz (NUL-terminated string) in tvbuff and copies - * no more than maxlength number of bytes, including terminating NUL, to buffer. - * Returns length of string (not including terminating NUL), or -1 if the string was - * truncated in the buffer due to not having reached the terminating NUL. - * In this way, it acts like snprintf(). + * no more than (maxlength - 1) number of bytes, including terminating NUL, to + * buffer. Returns length of string (not including terminating NUL), or -1 if + * the string was truncated in the buffer due to not having reached the + * terminating NUL. * * When processing a packet where the remaining number of bytes is less * than maxlength, an exception is not thrown if the end of the packet @@ -1701,7 +1701,11 @@ _tvb_get_nstringz(tvbuff_t *tvb, gint offset, guint maxlength, guint8* buffer, check_offset_length(tvb, offset, 0, &abs_offset, &junk_length); if (maxlength == 0) { + *bytes_copied = 0; + return -1; + } else if (maxlength == 1) { buffer[0] = 0; + *bytes_copied = 1; return 0; } @@ -1715,16 +1719,22 @@ _tvb_get_nstringz(tvbuff_t *tvb, gint offset, guint maxlength, guint8* buffer, } /* This should not happen because check_offset_length() would - * have already thrown an exception if 'offset' were out-of-bounds. - */ + * have already thrown an exception if 'offset' were out-of-bounds. + */ g_assert(len != -1); + /* + * If we've been passed a negative number, maxlength will + * be huge. + */ + g_assert(maxlength <= G_MAXINT); + if ((guint)len < maxlength) { limit = len; decreased_max = TRUE; } else { - limit = maxlength; + limit = maxlength - 1; } stringlen = tvb_strnlen(tvb, abs_offset, limit); @@ -1750,10 +1760,10 @@ _tvb_get_nstringz(tvbuff_t *tvb, gint offset, guint maxlength, guint8* buffer, } /* Looks for a stringz (NUL-terminated string) in tvbuff and copies - * no more than maxlength number of bytes, including terminating NUL, to buffer. - * Returns length of string (not including terminating NUL), or -1 if the string was - * truncated in the buffer due to not having reached the terminating NUL. - * In this way, it acts like snprintf(). + * no more than (maxlength - 1) number of bytes, including terminating NUL, to + * buffer. Returns length of string (not including terminating NUL), or -1 if + * the string was truncated in the buffer due to not having reached the + * terminating NUL. * * When processing a packet where the remaining number of bytes is less * than maxlength, an exception is not thrown if the end of the packet |