gsm_a_gm: fix potential buffer overrun (read)
When the string "str" is empty, "str+1" is invalid. This function can be called from functions using SET_ELEM_VARS in packet-gsm_a_common.c which appear to check the length first, but packet-etsi_card_app_toolkit.c and packet-camel.c do not. Err on the safe side and do not add the item. Change-Id: I6bd559593bb10ff0b8bf08a48d828613e3d8ccf5 Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4311 Reviewed-on: https://code.wireshark.org/review/27470 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
parent
65754fa4d7
commit
4d800d7b8a
|
@ -4353,9 +4353,11 @@ de_sm_apn(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, g
|
|||
}
|
||||
|
||||
/* Highlight bytes including the first length byte */
|
||||
pi = proto_tree_add_string(tree, hf_gsm_a_gm_apn, tvb, curr_offset, len, str+1);
|
||||
if (len > 100) {
|
||||
expert_add_info(pinfo, pi, &ei_gsm_a_gm_apn_too_long);
|
||||
if (str[0]) {
|
||||
pi = proto_tree_add_string(tree, hf_gsm_a_gm_apn, tvb, curr_offset, len, str+1);
|
||||
if (len > 100) {
|
||||
expert_add_info(pinfo, pi, &ei_gsm_a_gm_apn_too_long);
|
||||
}
|
||||
}
|
||||
curr_offset += len;
|
||||
|
||||
|
|
Loading…
Reference in New Issue