From 4a4871a831bd32fc5b28ec4dd25b52ee4d54e22a Mon Sep 17 00:00:00 2001
From: Evan Huus <eapache@gmail.com>
Date: Sun, 17 May 2015 10:31:38 -0400
Subject: ntlmssp: swap bounds check and length for memcpy

The values make more sense swapped (and the code is super-old) so I'm assuming
this was just a long-uncaught typo. Fixes a valgrind error at any rate.

Also replace a malloc+memcpy with a memdup for simplicity.

Bug: 11203
Change-Id: I74c0aff548b844cf90610db56a143f3eac172658
Reviewed-on: https://code.wireshark.org/review/8493
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Evan Huus <eapache@gmail.com>
---
 epan/dissectors/packet-ntlmssp.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'epan/dissectors/packet-ntlmssp.c')

diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c
index 7a41989c85..0646557726 100644
--- a/epan/dissectors/packet-ntlmssp.c
+++ b/epan/dissectors/packet-ntlmssp.c
@@ -981,11 +981,10 @@ dissect_ntlmssp_blob (tvbuff_t *tvb, packet_info *pinfo,
   *end = blob_offset + blob_length;
 
   if (result != NULL) {
-    result->length = blob_length;
     if (blob_length < MAX_BLOB_SIZE)
     {
-      result->contents = (guint8 *)wmem_alloc(wmem_file_scope(), blob_length);
-      tvb_memcpy(tvb, result->contents, blob_offset, blob_length);
+      result->length = blob_length;
+      result->contents = (guint8 *)tvb_memdup(wmem_file_scope(), tvb, blob_offset, blob_length);
       if (blob_hf == hf_ntlmssp_auth_lmresponse &&
           !(tvb_memeql(tvb, blob_offset+8, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", NTLMSSP_KEY_LEN)))
       {
@@ -1644,8 +1643,8 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset,
                                 &item_end,
                                 conv_ntlmssp_info == NULL ? NULL :
                                 &conv_ntlmssp_info->ntlm_response);
-  if (conv_ntlmssp_info != NULL && conv_ntlmssp_info->ntlm_response.length > 24) {
-    memcpy(conv_ntlmssp_info->client_challenge, conv_ntlmssp_info->ntlm_response.contents+32, 8);
+  if (conv_ntlmssp_info != NULL && conv_ntlmssp_info->ntlm_response.length >= 32) {
+    memcpy(conv_ntlmssp_info->client_challenge, conv_ntlmssp_info->ntlm_response.contents+24, 8);
   }
   data_start = MIN(data_start, item_start);
   data_end = MAX(data_end, item_end);
-- 
cgit v1.2.3