Wireshark-bugs: [Wireshark-bugs] [Bug 1513] Wrong length for tvb_memcpy in packet-bthci_acl.c
Date: Wed, 27 Feb 2008 05:58:24 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1513


Chris Maynard <christopher.maynard@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |christopher.maynard@xxxxxxxx
                   |                            |m




--- Comment #6 from Chris Maynard <christopher.maynard@xxxxxxxxx>  2008-02-27 05:58:18 GMT ---
(In reply to comment #5)
> If l2cap_length+4 equals the full size of the payload, while the capture was
> limited, then tvb_memcpy(tvb, (guint8*)mfp->reassembled,
> offset, l2cap_length+4); could read past the end of the tvb.
> 

Jaap, does that really matter?  Wouldn't the packet just be marked as
[Malformed] in that case, which it is?

Of course, Florent originally mentions the following:
> "The tvb_memcpy should use mfp->tot_len, and not the remaining length.
> I think the next tvb_memcpy, few lines hereafter, has the same problem, but I
> am not sure we can apply the same correction."

So maybe that should be verified first (by Florent?) and a patch provided that
either handles only the 1st case or both cases, as applicable.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.