Fix potential oob write crashes
Bug: 13847 Change-Id: I3a706db25204fe4c1fd1b7be3b17b8c55365dccf Reviewed-on: https://code.wireshark.org/review/23169 Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
This commit is contained in:
parent
5c27cb5f83
commit
5574b78dae
|
@ -1102,7 +1102,7 @@ static int register_interfaces(extcap_parameters * extcap_conf, const char *adb_
|
|||
response[data_length] = '\0';
|
||||
|
||||
data_str = strchr(response, '\n');
|
||||
if (data_str && sscanf(data_str, "%*s %s", pid) == 1) {
|
||||
if (data_str && sscanf(data_str, "%*s %15s", pid) == 1) {
|
||||
g_debug("Android Bluetooth application PID for %s is %s", serial_number, pid);
|
||||
|
||||
result = g_snprintf(check_port_buf, sizeof(check_port_buf), adb_check_port_templace, pid);
|
||||
|
@ -1123,7 +1123,7 @@ static int register_interfaces(extcap_parameters * extcap_conf, const char *adb_
|
|||
response[data_length] = '\0';
|
||||
|
||||
data_str = strchr(response, '\n');
|
||||
if (data_str && sscanf(data_str, "%*s %s", pid) == 1 && strcmp(pid + 9, "10EA") == 0) {
|
||||
if (data_str && sscanf(data_str, "%*s %15s", pid) == 1 && strlen(pid) > 10 && strcmp(pid + 9, "10EA") == 0) {
|
||||
g_debug("Bluedroid External Parser Port for %s is %s", serial_number, pid + 9);
|
||||
} else {
|
||||
disable_interface = 1;
|
||||
|
@ -1175,7 +1175,7 @@ static int register_interfaces(extcap_parameters * extcap_conf, const char *adb_
|
|||
else
|
||||
data_str = strchr(response, '\n');
|
||||
|
||||
if (data_str && sscanf(data_str, "%*s %s", pid) == 1) {
|
||||
if (data_str && sscanf(data_str, "%*s %15s", pid) == 1) {
|
||||
g_debug("Android Bluetooth application PID for %s is %s", serial_number, pid);
|
||||
|
||||
result = g_snprintf(check_port_buf, sizeof(check_port_buf), adb_check_port_templace, pid);
|
||||
|
@ -1196,7 +1196,7 @@ static int register_interfaces(extcap_parameters * extcap_conf, const char *adb_
|
|||
response[data_length] = '\0';
|
||||
|
||||
data_str = strchr(response, '\n');
|
||||
if (data_str && sscanf(data_str, "%*s %s", pid) == 1 && strcmp(pid + 9, "22A8") == 0) {
|
||||
if (data_str && sscanf(data_str, "%*s %15s", pid) == 1 && strlen(pid) > 10 && strcmp(pid + 9, "22A8") == 0) {
|
||||
g_debug("Btsnoop Net Port for %s is %s", serial_number, pid + 9);
|
||||
} else {
|
||||
disable_interface = 1;
|
||||
|
|
|
@ -9457,7 +9457,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset,
|
|||
if((strstr(puffer, vendorIdStr)) != NULL) {
|
||||
memset (convertStr, 0, sizeof(*convertStr));
|
||||
pch = strstr(puffer, vendorIdStr);
|
||||
if (pch!= NULL && sscanf(pch, "VendorID=\"%[^\"]", convertStr) == 1) {
|
||||
if (pch!= NULL && sscanf(pch, "VendorID=\"%199[^\"]", convertStr) == 1) {
|
||||
read_vendor_id = (guint32) strtoul (convertStr, NULL, 0);
|
||||
|
||||
if(read_vendor_id == searchVendorID) {
|
||||
|
@ -9470,7 +9470,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset,
|
|||
if((strstr(puffer, deviceIdStr)) != NULL) {
|
||||
memset(convertStr, 0, sizeof(*convertStr));
|
||||
pch = strstr(puffer, deviceIdStr);
|
||||
if (pch != NULL && sscanf(pch, "DeviceID=\"%[^\"]", convertStr) == 1) {
|
||||
if (pch != NULL && sscanf(pch, "DeviceID=\"%199[^\"]", convertStr) == 1) {
|
||||
read_device_id = (guint32)strtoul(convertStr, NULL, 0);
|
||||
|
||||
if(read_device_id == searchDeviceID) {
|
||||
|
@ -9604,7 +9604,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset,
|
|||
memset (convertStr, 0, sizeof(*convertStr));
|
||||
|
||||
pch = strstr(temp, fParameterIndexStr);
|
||||
if (pch != NULL && sscanf(pch, "Index=\"%[^\"]", convertStr) == 1) {
|
||||
if (pch != NULL && sscanf(pch, "Index=\"%199[^\"]", convertStr) == 1) {
|
||||
io_data_object->fParameterIndexNr = (guint32)strtoul(convertStr, NULL, 0);
|
||||
}
|
||||
break; /* found Indexnumber -> break search loop */
|
||||
|
@ -9618,7 +9618,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset,
|
|||
if((strstr(temp, moduleStr)) != NULL) { /* find the String "ModuleIdentNumber=" */
|
||||
memset (convertStr, 0, sizeof(*convertStr));
|
||||
pch = strstr(temp, moduleStr); /* search for "ModuleIdentNumber=\"" within GSD-file */
|
||||
if (pch != NULL && sscanf(pch, "ModuleIdentNumber=\"%[^\"]", convertStr) == 1) { /* Change format of Value string-->numeric string */
|
||||
if (pch != NULL && sscanf(pch, "ModuleIdentNumber=\"%199[^\"]", convertStr) == 1) { /* Change format of Value string-->numeric string */
|
||||
read_module_id = (guint32)strtoul(convertStr, NULL, 0); /* Change numeric string --> unsigned long; read_module_id contains the Value of the ModuleIdentNumber */
|
||||
|
||||
/* If the found ModuleID matches with the wanted ModuleID, search for the Submodule and break */
|
||||
|
@ -9629,7 +9629,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset,
|
|||
if((strstr(temp, moduleNameInfo)) != NULL) { /* find the String "<Name" for the TextID */
|
||||
long filePosRecord;
|
||||
|
||||
if (sscanf(temp, "%*s TextId=\"%[^\"]", tmp_moduletext) != 1) /* saves the correct TextId for the next searchloop */
|
||||
if (sscanf(temp, "%*s TextId=\"%199[^\"]", tmp_moduletext) != 1) /* saves the correct TextId for the next searchloop */
|
||||
break;
|
||||
|
||||
filePosRecord = ftell(fp); /* save the current position of the filepointer (Offset) */
|
||||
|
@ -9652,7 +9652,7 @@ dissect_ExpectedSubmoduleBlockReq_block(tvbuff_t *tvb, int offset,
|
|||
if((strstr(temp, subModuleStr)) != NULL) {
|
||||
memset (convertStr, 0, sizeof(*convertStr));
|
||||
pch = strstr(temp, subModuleStr);
|
||||
if (pch != NULL && sscanf(pch, "SubmoduleIdentNumber=\"%[^\"]", convertStr) == 1) {
|
||||
if (pch != NULL && sscanf(pch, "SubmoduleIdentNumber=\"%199[^\"]", convertStr) == 1) {
|
||||
read_submodule_id = (guint32) strtoul (convertStr, NULL, 0); /* read_submodule_id contains the Value of the SubModuleIdentNumber */
|
||||
|
||||
/* Find "PROFIsafeSupported" flag of the module in GSD-file */
|
||||
|
|
Loading…
Reference in New Issue