Ethereal-dev: Re: [Ethereal-dev] Re: [Coverity] Possible Format String Vulnerabilites

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 16 Mar 2005 18:54:59 -0800
Bryan Fulton wrote:

Bug 3:
/ethereal-0.10.10/epan/dissectors/packet-manolito.c:dissect_manolito
- length pulled off a tvb via tvb_get_guint8(), and length+1 is
passed to malloc without proper bounds checking. Possible integer
overflow on the allocation

How so? At least from my reading of the C89 standard, "length" is converted to "int" when 1 is added to it, so you won't overflow the "unsigned char" that "length" probably is. I.e., as "length" is in the range 0 to 255, "length + 1" is in the range 1 to 256.