Fix various off-by-one in buffer sizes

Some only allow buffer overruns (read), others also buffer overflows (write). Found by looking for '\[ *N *\]' where N is 255, 0xff, 15 and 0xf (case insensitive). Change-Id: I250687e2fdeb8fbd5eaf0bbb8251c3dab9640760 Reviewed-on: https://code.wireshark.org/review/14034 Reviewed-by: Peter Wu <peter@lekensteyn.nl>
2016-02-20 16:02:54 +01:00 · 2016-02-20 16:02:54 +01:00 · 3b644a75c9
parent 55b5b7caf3
commit 3b644a75c9
5 changed files with 14 additions and 14 deletions
--- a/epan/dissectors/packet-q2931.c
+++ b/epan/dissectors/packet-q2931.c
@ -1873,7 +1873,7 @@ dissect_q2931(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U
 	proto_tree *q2931_tree = NULL;
 	proto_item *ti;
 	guint8	    call_ref_len;
-	guint8	    call_ref[15];
+	guint8	    call_ref[16];
 	guint8	    message_type;
 	guint8	    message_type_ext;
 	guint16	    message_len;
--- a/epan/dissectors/packet-q931.c
+++ b/epan/dissectors/packet-q931.c
@ -2483,7 +2483,7 @@ dissect_q931_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
    proto_item  *ti;
    guint8      prot_discr;
    guint8      call_ref_len;
-    guint8      call_ref[15];
+    guint8      call_ref[16];
    guint32     call_ref_val;
    guint8      message_type, segmented_message_type;
    guint8      info_element;
--- a/epan/dissectors/packet-q933.c
+++ b/epan/dissectors/packet-q933.c
@ -1795,7 +1795,7 @@ dissect_q933(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_
 	proto_item	*ti;
 	proto_tree	*ie_tree = NULL;
 	guint8		call_ref_len;
-	guint8		call_ref[15];
+	guint8		call_ref[16];
 	guint8		message_type;
 	guint8		info_element;
 	guint16		info_element_len;
--- a/ui/cli/tap-gsm_astat.c
+++ b/ui/cli/tap-gsm_astat.c
@ -44,16 +44,16 @@
 void register_tap_listener_gsm_astat(void);

 typedef struct _gsm_a_stat_t {
-    int         bssmap_message_type[0xff];
-    int         dtap_mm_message_type[0xff];
-    int         dtap_rr_message_type[0xff];
-    int         dtap_cc_message_type[0xff];
-    int         dtap_gmm_message_type[0xff];
-    int         dtap_sms_message_type[0xff];
-    int         dtap_sm_message_type[0xff];
-    int         dtap_ss_message_type[0xff];
-    int         dtap_tp_message_type[0xff];
-    int         sacch_rr_message_type[0xff];
+    int         bssmap_message_type[0x100];
+    int         dtap_mm_message_type[0x100];
+    int         dtap_rr_message_type[0x100];
+    int         dtap_cc_message_type[0x100];
+    int         dtap_gmm_message_type[0x100];
+    int         dtap_sms_message_type[0x100];
+    int         dtap_sm_message_type[0x100];
+    int         dtap_ss_message_type[0x100];
+    int         dtap_tp_message_type[0x100];
+    int         sacch_rr_message_type[0x100];
 } gsm_a_stat_t;


--- a/wiretap/catapult_dct2000.c
+++ b/wiretap/catapult_dct2000.c
@ -1494,7 +1494,7 @@ hex_from_char(gchar c)


 /* Table allowing fast lookup from a pair of ascii hex characters to a guint8 */
-static guint8 s_tableValues[255][255];
+static guint8 s_tableValues[256][256];

 /* Prepare table values so ready so don't need to check inside hex_byte_from_chars() */
 static void  prepare_hex_byte_from_chars_table(void)