If "snprintf()" can't print all the data because there's not enough

room, it might return -1 in some versions of glibc; check for that, and
quit if that happens.

It might also return the number of characters that would've been printed
had there been enough room; this means that a loop that does

	n += snprintf (buf + n, BUF_LENGTH - n, ...);

may end up making "n" bigger than BUF_LENGTH, and "snprintf()" might not
sanely handle being passed a negative length, so if "n" isn't less than
the total length of the string buffer, don't add stuff to it.

The "capabilitiesStart" variable in "add_capabilities()" in the WSP
dissector is an offset into the PDU data; there's no guarantee that said
offet is < 256, and, even if there were, there's no point in making it
an 8-bit variable.

Add some additional buffer overflow checks to the WSP dissector.

svn path=/trunk/; revision=3953

1 files changed, 2 insertions, 2 deletions

diff --git a/packet-icmpv6.c b/packet-icmpv6.c
index b412aa6a7b..5bbc5e2b18 100644
--- a/packet-icmpv6.c
+++ b/packet-icmpv6.c
@@ -1,7 +1,7 @@
 /* packet-icmpv6.c
  * Routines for ICMPv6 packet disassembly
  *
- * $Id: packet-icmpv6.c,v 1.50 2001/09/05 19:48:53 guy Exp $
+ * $Id: packet-icmpv6.c,v 1.51 2001/09/25 18:27:35 guy Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@ethereal.com>
@@ -487,7 +487,7 @@ bitrange0(v, s, buf, buflen)
 			l = snprintf(p, ep - p, ",%d-%d", s + off,
 			    s + off + i - 1);
 		}
-		if (l > ep - p) {
+		if (l == -1 || l > ep - p) {
 			buf[0] = '\0';
 			return NULL;
 		}