Wireshark-bugs: [Wireshark-bugs] [Bug 1513] Wrong length for tvb_memcpy in packet-bthci_acl.c
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1513
Chris Maynard <christopher.maynard@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |christopher.maynard@xxxxxxxx
| |m
--- Comment #6 from Chris Maynard <christopher.maynard@xxxxxxxxx> 2008-02-27 05:58:18 GMT ---
(In reply to comment #5)
> If l2cap_length+4 equals the full size of the payload, while the capture was
> limited, then tvb_memcpy(tvb, (guint8*)mfp->reassembled,
> offset, l2cap_length+4); could read past the end of the tvb.
>
Jaap, does that really matter? Wouldn't the packet just be marked as
[Malformed] in that case, which it is?
Of course, Florent originally mentions the following:
> "The tvb_memcpy should use mfp->tot_len, and not the remaining length.
> I think the next tvb_memcpy, few lines hereafter, has the same problem, but I
> am not sure we can apply the same correction."
So maybe that should be verified first (by Florent?) and a patch provided that
either handles only the 1st case or both cases, as applicable.
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.