Fix: UA3G read past end of tvb + NOE key descriptions

packet-ua3g.c: Start tone device routing packet causes exception because it adds a subtree with length 6 where it should be 3. Changed 6 to 3. packet-noe.c: Key description is incomplete because buffer reserved is only 10 bytes long and key descriptions are up to 23 bytes long. Changed buffer length to 24. Bug: 13502 Change-Id: I8212d23c650efd341e87f766a80a887ef82f4b0b Reviewed-on: https://code.wireshark.org/review/20633 Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2017-03-19 19:19:11 +01:00 · 2017-03-19 19:19:11 +01:00 · 9a81d2ec37
parent 0fdbaa4f18
commit 9a81d2ec37
2 changed files with 5 additions and 5 deletions
--- a/epan/dissectors/packet-noe.c
+++ b/epan/dissectors/packet-noe.c
@ -856,7 +856,7 @@ static char *decode_key_name(int unicode)
 {
    char *key_name;

-    key_name = (char *)wmem_alloc(wmem_packet_scope(), 10);
+    key_name = (char *)wmem_alloc(wmem_packet_scope(), 24);

    if ((unicode <= 0x20)
        || (unicode == 0x7F)
@ -866,15 +866,15 @@ static char *decode_key_name(int unicode)
        || (unicode == 0xE9)
        || (unicode == 0xF9))
    {
-        g_snprintf(key_name, 10, "%s", val_to_str_ext_const(unicode, &str_key_name_ext, "Unknown"));
+        g_snprintf(key_name, 24, "%s", val_to_str_ext_const(unicode, &str_key_name_ext, "Unknown"));
    }
    else if (unicode <= 0xFF)
    {
-        g_snprintf(key_name, 10, "%c", unicode);
+        g_snprintf(key_name, 24, "%c", unicode);
    }
    else
    {
-        g_snprintf(key_name, 10, "%s", val_to_str_ext_const(unicode, &str_key_name_ext, "Unknown"));
+        g_snprintf(key_name, 24, "%s", val_to_str_ext_const(unicode, &str_key_name_ext, "Unknown"));
    }
    return key_name;
 }
--- a/epan/dissectors/packet-ua3g.c
+++ b/epan/dissectors/packet-ua3g.c
@ -1338,7 +1338,7 @@ decode_ip_device_routing(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo,
                    tone_silence = tvb_get_guint8(tvb, offset + 2);
 #endif

-                    ua3g_param_tree = proto_tree_add_subtree_format(ua3g_body_tree, tvb, offset, 6,
+                    ua3g_param_tree = proto_tree_add_subtree_format(ua3g_body_tree, tvb, offset, 3,
 #if 0
                        ett_ua3g_param, NULL, "Tone Pair %d: Id: %d, Duration: %d ms, Silence: %d ms",
                        ii+1, tone_id, tone_duration, tone_silence);