diff options
author | Gerald Combs <gerald@wireshark.org> | 2017-08-28 10:30:05 -0700 |
---|---|---|
committer | Michael Mann <mmann78@netscape.net> | 2017-08-28 21:39:33 +0000 |
commit | c9d05548405c6cc5c58dbede2e531c46732e009a (patch) | |
tree | d23a67766f1c8d0a568603e2bbbb9022bee85e11 /plugins | |
parent | 0f9935e9a145535a7bb996fbfd8b1d24c762210c (diff) |
PNIO: Fix another potential OOB write.
Bug: 13847
Change-Id: I62bb519b8e37112a59a7d209b39780f034dbcd0c
Reviewed-on: https://code.wireshark.org/review/23267
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/profinet/packet-dcerpc-pn-io.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/plugins/profinet/packet-dcerpc-pn-io.c b/plugins/profinet/packet-dcerpc-pn-io.c index a716eaf106..fd1bb51ad9 100644 --- a/plugins/profinet/packet-dcerpc-pn-io.c +++ b/plugins/profinet/packet-dcerpc-pn-io.c @@ -9403,7 +9403,8 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset, /* Initial */ io_data_object = wmem_new0(wmem_file_scope(), ioDataObject); io_data_object->profisafeSupported = FALSE; - io_data_object->moduleNameStr = wmem_strdup(wmem_file_scope(), "Unknown"); + io_data_object->moduleNameStr = (gchar*)wmem_alloc(wmem_file_scope(), MAX_NAMELENGTH); + g_strlcpy(io_data_object->moduleNameStr, "Unknown", MAX_NAMELENGTH); vendorMatch = FALSE; deviceMatch = FALSE; gsdmlFoundFlag = FALSE; @@ -9639,7 +9640,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset, /* Find a String with the saved TextID and with a fitting value for it in the same line. This value is the name of the Module! */ if(((strstr(temp, tmp_moduletext)) != NULL) && ((strstr(temp, moduleValueInfo)) != NULL)) { pch = strstr(temp, moduleValueInfo); - if (pch != NULL && sscanf(pch, "Value=\"%[^\"]", io_data_object->moduleNameStr) == 1) + if (pch != NULL && sscanf(pch, "Value=\"%199[^\"]", io_data_object->moduleNameStr) == 1) break; /* Found the name of the module */ } } |