Fix a couple of integer underflows.

svn path=/trunk/; revision=23398
2007-11-08 05:54:29 +00:00 · 2007-11-08 05:54:29 +00:00 · 4105173f0e
parent ee3d03b7ae
commit 4105173f0e
2 changed files with 912 additions and 893 deletions
--- a/docbook/release-notes.xml
+++ b/docbook/release-notes.xml
@ -95,6 +95,19 @@ Wireshark Info
          </para>
        </listitem>

+        <listitem>
+          <para>
+            The NCP dissector could cause a crash.
+            <!-- Fixed in r23398 -->
+          </para>
+          <para>Versions affected: 0.99.6</para>
+          <para>
+            <!-- <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-????">CVE-2007-????</ulink> -->
+          </para>
+        </listitem>
+
+        <!-- iSeries -->
+        <!-- rtsp? -->
      </itemizedlist>

    </para>
--- a/epan/dissectors/packet-ncp2222.inc
+++ b/epan/dissectors/packet-ncp2222.inc
@ -2447,12 +2447,12 @@ align_4(tvbuff_t *tvb, guint32 aoffset)
 static void
 get_string(tvbuff_t* tvb, guint offset, guint str_length, char *dest_buf)
 {
-        guint32 i;
+        gint i;
        guint16 c_char;
-        guint32 length_remaining = 0;
+        gint length_remaining = 0;

        length_remaining = tvb_length_remaining(tvb, offset);
-        if(str_length > length_remaining)  
+        if((gint)str_length > length_remaining)
        {
                THROW(ReportedBoundsError);
        }
@ -2461,7 +2461,7 @@ get_string(tvbuff_t* tvb, guint offset, guint str_length, char *dest_buf)
        {
                return;
        }
-        for ( i = 0; i < str_length; i++ )
+        for ( i = 0; i < (gint)str_length; i++ )
        {
                c_char = tvb_get_guint8(tvb, offset );
                if (c_char<0x20 || c_char>0x7e)
@ -2493,6 +2493,9 @@ get_string(tvbuff_t* tvb, guint offset, guint str_length, char *dest_buf)
                    break;       /* If string is too long just return the first 1K. */
                }
        }
+        if (i < 0) {
+                i = 0;
+        }
        dest_buf[i] = '\0';
        return;
 }
@ -2500,9 +2503,9 @@ get_string(tvbuff_t* tvb, guint offset, guint str_length, char *dest_buf)
 static void
 uni_to_string(char * data, guint32 str_length, char *dest_buf)
 {
-        guint32 i;
+        gint i;
        guint16 c_char;
-        guint32 length_remaining = 0;
+        gint length_remaining = 0;

        length_remaining = str_length;
        dest_buf[0] = '\0';
@ -2510,7 +2513,7 @@ uni_to_string(char * data, guint32 str_length, char *dest_buf)
        {
                return;
        }
-        for ( i = 0; i < str_length; i++ )
+        for ( i = 0; i < (gint) str_length; i++ )
        {
                c_char = data[i];
                if (c_char<0x20 || c_char>0x7e)
@ -2538,6 +2541,9 @@ uni_to_string(char * data, guint32 str_length, char *dest_buf)
                        return;
                }
        }
+        if (i < 0) {
+                i = 0;
+        }
        dest_buf[i] = '\0';
        return;
 }