Wireshark-bugs: [Wireshark-bugs] [Bug 8112] MS-MMC dissector crash
Date: Fri, 21 Dec 2012 16:10:14 +0000

changed bug 8112

What Removed Added
Status CONFIRMED IN_PROGRESS

Comment # 4 on bug 8112 from
however, I'm not sure if such a check is the best way of fixing this.

When it gets a negative length, tvb_get_ephemeral_unicode_string() returns a
string which contains only the 0 termination - there's no indication that
something went wrong. Should we return NULL for an invalid length parameter? Or
throw an exception?

The resulting string is then passed to format_text() with the original
(stupidly large) length. format_text() starts processing without any checks and
crashes. Should we check that string is non-NULL and cotains no 0x0 character
within len-1 bytes??


You are receiving this mail because:
  • You are watching all bug changes.