PNIO: Fix another potential OOB write.

Bug: 13847 Change-Id: I62bb519b8e37112a59a7d209b39780f034dbcd0c Reviewed-on: https://code.wireshark.org/review/23267 Reviewed-by: Gerald Combs <gerald@wireshark.org> Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
author: Gerald Combs <gerald@wireshark.org> 2017-08-28 10:30:05 -0700
committer: Michael Mann <mmann78@netscape.net> 2017-08-28 21:39:33 +0000
commit: c9d05548405c6cc5c58dbede2e531c46732e009a (patch)
tree: d23a67766f1c8d0a568603e2bbbb9022bee85e11 /plugins
parent: 0f9935e9a145535a7bb996fbfd8b1d24c762210c (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/plugins/profinet/packet-dcerpc-pn-io.c b/plugins/profinet/packet-dcerpc-pn-io.c
index a716eaf106..fd1bb51ad9 100644
--- a/plugins/profinet/packet-dcerpc-pn-io.c
+++ b/plugins/profinet/packet-dcerpc-pn-io.c
@@ -9403,7 +9403,8 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset,
     /* Initial */
     io_data_object = wmem_new0(wmem_file_scope(), ioDataObject);
     io_data_object->profisafeSupported = FALSE;
-    io_data_object->moduleNameStr = wmem_strdup(wmem_file_scope(), "Unknown");
+    io_data_object->moduleNameStr = (gchar*)wmem_alloc(wmem_file_scope(), MAX_NAMELENGTH);
+    g_strlcpy(io_data_object->moduleNameStr, "Unknown", MAX_NAMELENGTH);
     vendorMatch = FALSE;
     deviceMatch = FALSE;
     gsdmlFoundFlag = FALSE;
@@ -9639,7 +9640,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset,
                                                 /* Find a String with the saved TextID and with a fitting value for it in the same line. This value is the name of the Module! */
                                                 if(((strstr(temp, tmp_moduletext)) != NULL) && ((strstr(temp, moduleValueInfo)) != NULL)) {
                                                     pch = strstr(temp, moduleValueInfo);
-                                                    if (pch != NULL && sscanf(pch, "Value=\"%[^\"]", io_data_object->moduleNameStr) == 1)
+                                                    if (pch != NULL && sscanf(pch, "Value=\"%199[^\"]", io_data_object->moduleNameStr) == 1)
                                                         break;    /* Found the name of the module */
                                                 }
                                             }
author	Gerald Combs <gerald@wireshark.org>	2017-08-28 10:30:05 -0700
committer	Michael Mann <mmann78@netscape.net>	2017-08-28 21:39:33 +0000
commit	c9d05548405c6cc5c58dbede2e531c46732e009a (patch)
tree	d23a67766f1c8d0a568603e2bbbb9022bee85e11 /plugins
parent	0f9935e9a145535a7bb996fbfd8b1d24c762210c (diff)