Use wmem_memdup() instead of wmem_alloc() followed by memcpy().
This also fixes a case where, if nfs_fh->len wasn't a multiple of 4, the allocated buffer was too short, by the difference between the next lower multiple of 4 and nfs_fh->len, so the memcpy() went past the end of the buffer. (And, yes, an NFSv3 file handle can have a byte count that's not a multiple of 4 - it's a variable-length opaque type - even if the marshalled data is padded with 0s to a multiple of 4 bytes, as with other XDR types.) Change-Id: I689d4b365e8a1547428a1580884f66177dc5841b Reviewed-on: https://code.wireshark.org/review/12964 Reviewed-by: Guy Harris <guy@alum.mit.edu>
This commit is contained in:
Guy Harris
parent
31956f98d0
commit
5a60c0d72e
|
|
@ -959,8 +959,7 @@ store_nfs_file_handle(nfs_fhandle_data_t *nfs_fh)
|
|||
|
||||
new_nfs_fh = wmem_new(wmem_file_scope(), nfs_fhandle_data_t);
|
||||
new_nfs_fh->len = nfs_fh->len;
|
||||
new_nfs_fh->fh = (const unsigned char *)wmem_alloc(wmem_file_scope(), sizeof(guint32)*(nfs_fh->len/4));
|
||||
memcpy((void *)new_nfs_fh->fh, nfs_fh->fh, nfs_fh->len);
|
||||
new_nfs_fh->fh = (const unsigned char *)wmem_memdup(wmem_file_scope(), nfs_fh->fh, nfs_fh->len);
|
||||
fhlen = nfs_fh->len/4;
|
||||
fhkey[0].length = 1;
|
||||
fhkey[0].key = &fhlen;
|
||||
|
|
|
|||
Loading…
Reference in New Issue