diff options
author | Gerald Combs <gerald@wireshark.org> | 2003-05-19 03:23:12 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2003-05-19 03:23:12 +0000 |
commit | 7a132e5b48db1f5fea29d461daa8d3a481432918 (patch) | |
tree | 52efc6af782789bdc73143e570d7f654e6799987 /packet-fix.c | |
parent | a53a260f3c9f6a3bc0ac3ab4ec824f4b39a82ef0 (diff) |
More tvb_get_nstringz0() fixes. Timo Sirainen pointed out that Bad
Things can happen if we pass a zero buffer length to tvb_get_nstringz0().
Throw an exception if this happens.
In various dissectors make sure the tvb_get_nstringz0()'s buffer length
is greater than zero.
svn path=/trunk/; revision=7688
Diffstat (limited to 'packet-fix.c')
-rw-r--r-- | packet-fix.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/packet-fix.c b/packet-fix.c index 281ddbd1ec..75cf54810e 100644 --- a/packet-fix.c +++ b/packet-fix.c @@ -2,7 +2,7 @@ * Routines for Financial Information eXchange (FIX) Protocol dissection * Copyright 2000, PC Drew <drewpc@ibsncentral.com> * - * $Id: packet-fix.c,v 1.2 2003/04/30 02:35:19 gerald Exp $ + * $Id: packet-fix.c,v 1.3 2003/05/19 03:23:11 gerald Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -878,6 +878,9 @@ dissect_fix(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) value_offset = equals + 1; value_len = ctrla_offset - value_offset; + if (value_len < 1) { + return return_malformed_packet(tvb, pinfo, tree); + } value = g_malloc(value_len); tvb_get_nstringz0(tvb, value_offset, value_len, value); @@ -918,6 +921,9 @@ dissect_fix(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) value_len = ctrla_offset - value_offset; tag_len = equals - field_offset; + if (tag_len < 1 || value_len < 1) { + return return_malformed_packet(tvb, pinfo, tree); + } tag_str = g_malloc(tag_len); tvb_get_nstringz0(tvb, field_offset, tag_len, tag_str); tag = atoi(tag_str); |