diff options
| author | Gerald Combs <gerald@wireshark.org> | 2003-04-28 04:03:26 +0000 |
|---|---|---|
| committer | Gerald Combs <gerald@wireshark.org> | 2003-04-28 04:03:26 +0000 |
| commit | b2f936ff24129c4f40b62f2a4a5410a24ad45ab4 (patch) | |
| tree | 44d90873362accb56c2c3d2eecab7c63e06ea5d9 /packet-mount.c | |
| parent | 4b4b030e514b884aaa0d50ba2fe5df830e78f5b0 (diff) | |
Fix several buffer and integer overflow issues discovered by Timo Sirainen.
tvbuff.c:
Lots of existing code assumes that you can safely do the following:
#define MAX_BUF 64
guint8 *buf[MAX_BUF];
...
tvb_get_nstringz0 (tvb, offset, MAX_BUF, buf, &bytes_copied);
In reality, tvb_get_nstringz*() can potentially write one byte past
"buf". Modify _tvb_get_nstringz() not to do that.
packet-ppp.c:
Check for a valid BAP suboption length.
packet-mount.c:
Fix a possible integer overflow in dissect_group().
svn path=/trunk/; revision=7590
Diffstat (limited to 'packet-mount.c')
| -rw-r--r-- | packet-mount.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/packet-mount.c b/packet-mount.c index 8c48f0f9dd..843443a9f0 100644 --- a/packet-mount.c +++ b/packet-mount.c @@ -1,7 +1,7 @@ /* packet-mount.c * Routines for mount dissection * - * $Id: packet-mount.c,v 1.37 2002/11/14 02:31:26 guy Exp $ + * $Id: packet-mount.c,v 1.38 2003/04/28 04:03:24 gerald Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -240,17 +240,19 @@ dissect_group(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tre { int len,str_len; len=tvb_get_ntohl(tvb,offset); - str_len=tvb_get_nstringz(tvb,offset+4, - MAX_GROUP_NAME_LIST-5-group_names_len, - group_name_list+group_names_len); - if((group_names_len>=(MAX_GROUP_NAME_LIST-5))||(str_len<0)){ - strcpy(group_name_list+(MAX_GROUP_NAME_LIST-5),"..."); - group_names_len=MAX_GROUP_NAME_LIST-1; - } else { - group_names_len+=str_len; - group_name_list[group_names_len++]=' '; + if (group_names_len < MAX_GROUP_NAME_LIST - 5) { + str_len=tvb_get_nstringz(tvb,offset+4, + MAX_GROUP_NAME_LIST-5-group_names_len, + group_name_list+group_names_len); + if((group_names_len>=(MAX_GROUP_NAME_LIST-5))||(str_len<0)){ + strcpy(group_name_list+(MAX_GROUP_NAME_LIST-5),"..."); + group_names_len=MAX_GROUP_NAME_LIST; + } else { + group_names_len+=str_len; + group_name_list[group_names_len++]=' '; + } + group_name_list[group_names_len]=0; } - group_name_list[group_names_len]=0; offset = dissect_rpc_string(tvb, tree, hf_mount_groups_group, offset, NULL); |