diff options
| author | Guy Harris <guy@alum.mit.edu> | 2001-09-25 18:27:35 +0000 |
|---|---|---|
| committer | Guy Harris <guy@alum.mit.edu> | 2001-09-25 18:27:35 +0000 |
| commit | a86490d2a7651930059c4750d735cf76efd969af (patch) | |
| tree | 97f866f2c11edf3b58fca06551fb7524efeed2eb /packet-isakmp.c | |
| parent | 12db23546de313dd28f797c080134334bb28ba92 (diff) | |
If "snprintf()" can't print all the data because there's not enough
room, it might return -1 in some versions of glibc; check for that, and
quit if that happens.
It might also return the number of characters that would've been printed
had there been enough room; this means that a loop that does
n += snprintf (buf + n, BUF_LENGTH - n, ...);
may end up making "n" bigger than BUF_LENGTH, and "snprintf()" might not
sanely handle being passed a negative length, so if "n" isn't less than
the total length of the string buffer, don't add stuff to it.
The "capabilitiesStart" variable in "add_capabilities()" in the WSP
dissector is an offset into the PDU data; there's no guarantee that said
offet is < 256, and, even if there were, there's no point in making it
an 8-bit variable.
Add some additional buffer overflow checks to the WSP dissector.
svn path=/trunk/; revision=3953
Diffstat (limited to 'packet-isakmp.c')
| -rw-r--r-- | packet-isakmp.c | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/packet-isakmp.c b/packet-isakmp.c index a9370fbb1f..6a16781254 100644 --- a/packet-isakmp.c +++ b/packet-isakmp.c @@ -3,7 +3,7 @@ * (ISAKMP) (RFC 2408) * Brad Robel-Forrest <brad.robel-forrest@watchguard.com> * - * $Id: packet-isakmp.c,v 1.42 2001/08/31 19:47:07 guy Exp $ + * $Id: packet-isakmp.c,v 1.43 2001/09/25 18:27:35 guy Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -989,17 +989,41 @@ situation2str(guint32 type) { static char msg[SIT_MSG_NUM]; int n = 0; char * sep = ""; + int ret; if (type & SIT_IDENTITY) { - n += snprintf(msg, SIT_MSG_NUM-n, "%sIDENTITY", sep); + ret = snprintf(msg, SIT_MSG_NUM-n, "%sIDENTITY", sep); + if (ret == -1) { + /* Some versions of snprintf return -1 if they'd truncate the output. */ + return msg; + } + n += ret; sep = " & "; } if (type & SIT_SECRECY) { - n += snprintf(msg, SIT_MSG_NUM-n, "%sSECRECY", sep); + if (n >= SIT_MSG_NUM) { + /* No more room. */ + return msg; + } + ret = snprintf(msg, SIT_MSG_NUM-n, "%sSECRECY", sep); + if (ret == -1) { + /* Some versions of snprintf return -1 if they'd truncate the output. */ + return msg; + } + n += ret; sep = " & "; } if (type & SIT_INTEGRITY) { - n += snprintf(msg, SIT_MSG_NUM-n, "%sINTEGRITY", sep); + if (n >= SIT_MSG_NUM) { + /* No more room. */ + return msg; + } + ret = snprintf(msg, SIT_MSG_NUM-n, "%sINTEGRITY", sep); + if (ret == -1) { + /* Some versions of snprintf return -1 if they'd truncate the output. */ + return msg; + } + n += ret; sep = " & "; } |