From 4d800d7b8a83f6aab13558867fbe2118f0228971 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Sat, 12 May 2018 12:19:46 +0200
Subject: [PATCH] gsm_a_gm: fix potential buffer overrun (read)

When the string "str" is empty, "str+1" is invalid. This function can be
called from functions using SET_ELEM_VARS in packet-gsm_a_common.c which
appear to check the length first, but packet-etsi_card_app_toolkit.c and
packet-camel.c do not. Err on the safe side and do not add the item.

Change-Id: I6bd559593bb10ff0b8bf08a48d828613e3d8ccf5
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4311
Reviewed-on: https://code.wireshark.org/review/27470
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 epan/dissectors/packet-gsm_a_gm.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/epan/dissectors/packet-gsm_a_gm.c b/epan/dissectors/packet-gsm_a_gm.c
index 97023632fb..dadd32611d 100644
--- a/epan/dissectors/packet-gsm_a_gm.c
+++ b/epan/dissectors/packet-gsm_a_gm.c
@@ -4353,9 +4353,11 @@ de_sm_apn(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset, g
 	}
 
 	/* Highlight bytes including the first length byte */
-	pi = proto_tree_add_string(tree, hf_gsm_a_gm_apn, tvb, curr_offset, len, str+1);
-	if (len > 100) {
-		expert_add_info(pinfo, pi, &ei_gsm_a_gm_apn_too_long);
+	if (str[0]) {
+		pi = proto_tree_add_string(tree, hf_gsm_a_gm_apn, tvb, curr_offset, len, str+1);
+		if (len > 100) {
+			expert_add_info(pinfo, pi, &ei_gsm_a_gm_apn_too_long);
+		}
 	}
 	curr_offset += len;