Wireshark-bugs: [Wireshark-bugs] [Bug 8112] MS-MMC dissector crash
Date: Fri, 21 Dec 2012 16:50:37 +0000

Comment # 5 on bug 8112 from
(In reply to comment #4)
> however, I'm not sure if such a check is the best way of fixing this.
> 
> When it gets a negative length, tvb_get_ephemeral_unicode_string() returns a
> string which contains only the 0 termination - there's no indication that
> something went wrong. Should we return NULL for an invalid length parameter?
> Or throw an exception?

I suspect an exception is the right thing to do here.

> The resulting string is then passed to format_text() with the original
> (stupidly large) length. format_text() starts processing without any checks
> and crashes. Should we check that string is non-NULL and cotains no 0x0
> character within len-1 bytes??

Yes, this also.


You are receiving this mail because:
  • You are watching all bug changes.