forked from osmocom/wireshark
Fix various off-by-one in buffer sizes
Some only allow buffer overruns (read), others also buffer overflows (write). Found by looking for '\[ *N *\]' where N is 255, 0xff, 15 and 0xf (case insensitive). Change-Id: I250687e2fdeb8fbd5eaf0bbb8251c3dab9640760 Reviewed-on: https://code.wireshark.org/review/14034 Reviewed-by: Peter Wu <peter@lekensteyn.nl>
This commit is contained in:
parent
55b5b7caf3
commit
3b644a75c9
|
@ -1873,7 +1873,7 @@ dissect_q2931(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U
|
|||
proto_tree *q2931_tree = NULL;
|
||||
proto_item *ti;
|
||||
guint8 call_ref_len;
|
||||
guint8 call_ref[15];
|
||||
guint8 call_ref[16];
|
||||
guint8 message_type;
|
||||
guint8 message_type_ext;
|
||||
guint16 message_len;
|
||||
|
|
|
@ -2483,7 +2483,7 @@ dissect_q931_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
|||
proto_item *ti;
|
||||
guint8 prot_discr;
|
||||
guint8 call_ref_len;
|
||||
guint8 call_ref[15];
|
||||
guint8 call_ref[16];
|
||||
guint32 call_ref_val;
|
||||
guint8 message_type, segmented_message_type;
|
||||
guint8 info_element;
|
||||
|
|
|
@ -1795,7 +1795,7 @@ dissect_q933(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_
|
|||
proto_item *ti;
|
||||
proto_tree *ie_tree = NULL;
|
||||
guint8 call_ref_len;
|
||||
guint8 call_ref[15];
|
||||
guint8 call_ref[16];
|
||||
guint8 message_type;
|
||||
guint8 info_element;
|
||||
guint16 info_element_len;
|
||||
|
|
|
@ -44,16 +44,16 @@
|
|||
void register_tap_listener_gsm_astat(void);
|
||||
|
||||
typedef struct _gsm_a_stat_t {
|
||||
int bssmap_message_type[0xff];
|
||||
int dtap_mm_message_type[0xff];
|
||||
int dtap_rr_message_type[0xff];
|
||||
int dtap_cc_message_type[0xff];
|
||||
int dtap_gmm_message_type[0xff];
|
||||
int dtap_sms_message_type[0xff];
|
||||
int dtap_sm_message_type[0xff];
|
||||
int dtap_ss_message_type[0xff];
|
||||
int dtap_tp_message_type[0xff];
|
||||
int sacch_rr_message_type[0xff];
|
||||
int bssmap_message_type[0x100];
|
||||
int dtap_mm_message_type[0x100];
|
||||
int dtap_rr_message_type[0x100];
|
||||
int dtap_cc_message_type[0x100];
|
||||
int dtap_gmm_message_type[0x100];
|
||||
int dtap_sms_message_type[0x100];
|
||||
int dtap_sm_message_type[0x100];
|
||||
int dtap_ss_message_type[0x100];
|
||||
int dtap_tp_message_type[0x100];
|
||||
int sacch_rr_message_type[0x100];
|
||||
} gsm_a_stat_t;
|
||||
|
||||
|
||||
|
|
|
@ -1494,7 +1494,7 @@ hex_from_char(gchar c)
|
|||
|
||||
|
||||
/* Table allowing fast lookup from a pair of ascii hex characters to a guint8 */
|
||||
static guint8 s_tableValues[255][255];
|
||||
static guint8 s_tableValues[256][256];
|
||||
|
||||
/* Prepare table values so ready so don't need to check inside hex_byte_from_chars() */
|
||||
static void prepare_hex_byte_from_chars_table(void)
|
||||
|
|
Loading…
Reference in New Issue