From b2f936ff24129c4f40b62f2a4a5410a24ad45ab4 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Mon, 28 Apr 2003 04:03:26 +0000
Subject: Fix several buffer and integer overflow issues discovered by Timo
 Sirainen.

tvbuff.c:

  Lots of existing code assumes that you can safely do the following:

    #define MAX_BUF 64
    guint8 *buf[MAX_BUF];
    ...

    tvb_get_nstringz0 (tvb, offset, MAX_BUF, buf, &bytes_copied);

  In reality, tvb_get_nstringz*() can potentially write one byte past
  "buf".  Modify _tvb_get_nstringz() not to do that.

packet-ppp.c:

  Check for a valid BAP suboption length.

packet-mount.c:

  Fix a possible integer overflow in dissect_group().

svn path=/trunk/; revision=7590
---
 packet-mount.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

(limited to 'packet-mount.c')

diff --git a/packet-mount.c b/packet-mount.c
index 8c48f0f9dd..843443a9f0 100644
--- a/packet-mount.c
+++ b/packet-mount.c
@@ -1,7 +1,7 @@
 /* packet-mount.c
  * Routines for mount dissection
  *
- * $Id: packet-mount.c,v 1.37 2002/11/14 02:31:26 guy Exp $
+ * $Id: packet-mount.c,v 1.38 2003/04/28 04:03:24 gerald Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@ethereal.com>
@@ -240,17 +240,19 @@ dissect_group(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tre
 {
 	int len,str_len;
 	len=tvb_get_ntohl(tvb,offset);
-	str_len=tvb_get_nstringz(tvb,offset+4,
-		MAX_GROUP_NAME_LIST-5-group_names_len,
-		group_name_list+group_names_len);
-	if((group_names_len>=(MAX_GROUP_NAME_LIST-5))||(str_len<0)){
-		strcpy(group_name_list+(MAX_GROUP_NAME_LIST-5),"...");
-		group_names_len=MAX_GROUP_NAME_LIST-1;
-	} else {
-		group_names_len+=str_len;
-		group_name_list[group_names_len++]=' ';
+	if (group_names_len < MAX_GROUP_NAME_LIST - 5) {
+		str_len=tvb_get_nstringz(tvb,offset+4,
+			MAX_GROUP_NAME_LIST-5-group_names_len,
+			group_name_list+group_names_len);
+		if((group_names_len>=(MAX_GROUP_NAME_LIST-5))||(str_len<0)){
+			strcpy(group_name_list+(MAX_GROUP_NAME_LIST-5),"...");
+			group_names_len=MAX_GROUP_NAME_LIST;
+		} else {
+			group_names_len+=str_len;
+			group_name_list[group_names_len++]=' ';
+		}
+		group_name_list[group_names_len]=0;
 	}
-	group_name_list[group_names_len]=0;
 
 	offset = dissect_rpc_string(tvb, tree,
 			hf_mount_groups_group, offset, NULL);
-- 
cgit v1.2.3