More tvb_get_nstringz0() fixes. Timo Sirainen pointed out that Bad

Things can happen if we pass a zero buffer length to tvb_get_nstringz0().
Throw an exception if this happens.

In various dissectors make sure the tvb_get_nstringz0()'s buffer length
is greater than zero.


git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@7688 f5534014-38df-0310-8fa8-9805f1628bb7

1 files changed, 7 insertions, 1 deletions

diff --git a/packet-fix.c b/packet-fix.c
index 281ddbd1ec..75cf54810e 100644
--- a/packet-fix.c
+++ b/packet-fix.c
@@ -2,7 +2,7 @@
  * Routines for Financial Information eXchange (FIX) Protocol dissection
  * Copyright 2000, PC Drew <drewpc@ibsncentral.com>
  *
- * $Id: packet-fix.c,v 1.2 2003/04/30 02:35:19 gerald Exp $
+ * $Id: packet-fix.c,v 1.3 2003/05/19 03:23:11 gerald Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@ethereal.com>
@@ -878,6 +878,9 @@ dissect_fix(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 
     value_offset = equals + 1;
     value_len = ctrla_offset - value_offset;
+    if (value_len < 1) {
+        return return_malformed_packet(tvb, pinfo, tree);
+    }
 
     value = g_malloc(value_len);
     tvb_get_nstringz0(tvb, value_offset, value_len, value);
@@ -918,6 +921,9 @@ dissect_fix(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
             value_len = ctrla_offset - value_offset;
 
             tag_len = equals - field_offset;
+            if (tag_len < 1 || value_len < 1) {
+                return return_malformed_packet(tvb, pinfo, tree);
+            }
             tag_str = g_malloc(tag_len);
             tvb_get_nstringz0(tvb, field_offset, tag_len, tag_str);
             tag = atoi(tag_str);