Ethereal-dev: Re: [Ethereal-dev] More bounds check problems

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Thu, 13 Jun 2002 00:38:30 -0700
On Mon, Jun 10, 2002 at 12:59:20PM +1000, Peter Hawkins wrote:
> A not too dangerous one:
> packet-beep.c line 473:
> - -tvb_memcpy(tvb, int_buff, offset, MIN(sizeof(int_buff), i));
> +tvb_memcpy(tvb, int_buff, offset, MIN(sizeof(int_buff) - 1, i));

Checked in.

> An probably exploitable buffer overflow:
> packet-scsi.c line 1346:
> - -tvb_get_nstringz0 (tvb, offset, plen, str);
> +tvb_get_nstringz0(tvb, offset, MIN(plen, sizeof(str)), str);

Checked in...

...with

	MIN(plen, sizeof(str))

changed to

	MIN(plen, sizeof(str) - 1)

(the length argument to "tvb_get_nstringz0()" is the maximum length of
the string *not* counting the trailing '\0'), and with "str" itself
increased in length to 257 bytes (to hold the maximum-length string).