Problem:
"off by 1" bug in packet-smb-common.c: dissect_ms_compressed_string_internal() was causing a 1 character buffer overflow thus causing the canary to sing ! Fixes bug #1241 svn path=/trunk/; revision=19983
This commit is contained in:
parent
692f21a184
commit
6a9d8055ed
|
@ -133,10 +133,11 @@ static int dissect_ms_compressed_string_internal(tvbuff_t *tvb, int offset, char
|
|||
offset+=1;
|
||||
*str=0;
|
||||
|
||||
/* XXX: Reserve 4 chars for "...\0" */
|
||||
while(len){
|
||||
/* add potential field separation dot */
|
||||
if(prepend_dot){
|
||||
if(!maxlen){
|
||||
if(maxlen<=4){
|
||||
*str=0;
|
||||
return offset;
|
||||
}
|
||||
|
@ -161,12 +162,10 @@ static int dissect_ms_compressed_string_internal(tvbuff_t *tvb, int offset, char
|
|||
|
||||
prepend_dot=TRUE;
|
||||
|
||||
if(maxlen<=len){
|
||||
if(maxlen>3){
|
||||
*str++='.';
|
||||
*str++='.';
|
||||
*str++='.';
|
||||
}
|
||||
if(len>(maxlen-4)){
|
||||
*str++='.';
|
||||
*str++='.';
|
||||
*str++='.';
|
||||
*str=0;
|
||||
return offset; /* will mess up offset in caller, is unlikely */
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue