diff options
author | Evan Huus <eapache@gmail.com> | 2014-08-07 20:25:34 -0400 |
---|---|---|
committer | Evan Huus <eapache@gmail.com> | 2014-08-08 00:31:50 +0000 |
commit | c10396dbbf782a576bc1f9a931cf86090cec3878 (patch) | |
tree | 228d32a7bda2199fb2235d21c611dd3ce863c909 /epan | |
parent | dea377ba2fb8d7040746af82a63218d0d5fd6a84 (diff) |
Fix read-past-end-of-buffer in CUPS dissector
Even when the protocol specifies that a string ends in a null-terminator, there
are packets which won't. Therefore:
**the result of tvb_get_ptr SHALL NOT be treated as a null-terminated string**
We need to post that in big neon lettering somewhere obvious.
Bug: 10353
Change-Id: Ie30cd13353a9830311e573e734dd89dc07622c98
Reviewed-on: https://code.wireshark.org/review/3485
Reviewed-by: Evan Huus <eapache@gmail.com>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-cups.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/epan/dissectors/packet-cups.c b/epan/dissectors/packet-cups.c index 190541e3e3..7f7f4b9607 100644 --- a/epan/dissectors/packet-cups.c +++ b/epan/dissectors/packet-cups.c @@ -279,7 +279,7 @@ get_quoted_string(tvbuff_t *tvb, gint offset, gint *next_offset, guint *len) if (o != -1) { offset++; l = o - offset; - s = tvb_get_ptr(tvb, offset, l); + s = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, l, ENC_ASCII); offset = o + 1; } } @@ -300,7 +300,7 @@ get_unquoted_string(tvbuff_t *tvb, gint offset, gint *next_offset, guint *len) o = tvb_pbrk_guint8(tvb, offset, -1, " \t\r\n", NULL); if (o != -1) { l = o - offset; - s = tvb_get_ptr(tvb, offset, l); + s = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, l, ENC_ASCII); offset = o; } |