diff options
author | Bill Meier <wmeier@newsguy.com> | 2009-12-04 16:42:14 +0000 |
---|---|---|
committer | Bill Meier <wmeier@newsguy.com> | 2009-12-04 16:42:14 +0000 |
commit | 2dd96f051a6e7251f3d7f1539760c39387c211c3 (patch) | |
tree | 20a3e13e826a9a2865c70f6c1815af6dd0402d1c /wiretap | |
parent | cc43ff3835a3dae1569dbb56e9c009323c8ae48e (diff) |
From: babi
[Fix] potential memory problem (crash?) in daintree-sna.
See: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4294
(A parameterized version of the patch supplied in the above)
svn path=/trunk/; revision=31172
Diffstat (limited to 'wiretap')
-rw-r--r-- | wiretap/daintree-sna.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/wiretap/daintree-sna.c b/wiretap/daintree-sna.c index 3369ef4eea..f85b932b62 100644 --- a/wiretap/daintree-sna.c +++ b/wiretap/daintree-sna.c @@ -76,12 +76,16 @@ static const char daintree_magic_text[] = #define DAINTREE_MAGIC_TEXT_SIZE (sizeof daintree_magic_text) #define DAINTREE_MAX_LINE_SIZE 512 + #define COMMENT_LINE daintree_magic_text[0] static char readLine[DAINTREE_MAX_LINE_SIZE]; static char seekLine[DAINTREE_MAX_LINE_SIZE]; + static char readData[DAINTREE_MAX_LINE_SIZE/2]; static char seekData[DAINTREE_MAX_LINE_SIZE/2]; +#define READDATA_MAX_FIELD_SIZE "255" /* DAINTREE_MAX_LINE_SIZE/2 -1 */ +#define SEEKDATA_MAX_FIELD_SIZE "255" /* DAINTREE_MAX_LINE_SIZE/2 -1 */ static gboolean daintree_sna_read(wtap *wth, int *err, gchar **err_info _U_, gint64 *data_offset); @@ -146,7 +150,7 @@ daintree_sna_read(wtap *wth, int *err, gchar **err_info _U_, gint64 *data_offset } while (readLine[0] == COMMENT_LINE); /* parse one line of capture data */ - if (sscanf(readLine, "%*s %" G_GINT64_MODIFIER "u.%d %u %s", + if (sscanf(readLine, "%*s %" G_GINT64_MODIFIER "u.%d %u %" READDATA_MAX_FIELD_SIZE "s", &seconds, &wth->phdr.ts.nsecs, &wth->phdr.len, readData) != 4) { *err = WTAP_ERR_BAD_RECORD; @@ -202,7 +206,7 @@ daintree_sna_seek_read(wtap *wth, gint64 seek_off, union wtap_pseudo_header } while (seekLine[0] == COMMENT_LINE); /* ignore all but packet data, since the sequential read pass stored everything else */ - if (sscanf(seekLine, "%*s %*u.%*u %*u %s", seekData) != 1) { + if (sscanf(seekLine, "%*s %*u.%*u %*u %" SEEKDATA_MAX_FIELD_SIZE "s", seekData) != 1) { *err = WTAP_ERR_BAD_RECORD; *err_info = g_strdup("daintree_sna: corrupted seek record"); return FALSE; |