POP: replace wmem_strndup by tvb_memcpy

gdd3b977 introduced the use of wmem_strndup to ensure that the string is NULL terminated. But it also stops as soon as it finds a NULL character, which can happen with malformed packets. So let's copy all the bytes with tvb_memcpy and add manually a NULL character at the end of the buffer for safeness. Bug: 13074 Change-Id: I9ae65d739a92bc6167e4acfc275e1909f3890815 Reviewed-on: https://code.wireshark.org/review/18582 Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
2016-10-30 19:41:26 +01:00 · 2016-10-30 19:41:26 +01:00 · e3b2b2fdc3
parent d8fca58c16
commit e3b2b2fdc3
1 changed files with 4 additions and 6 deletions
--- a/epan/dissectors/packet-pop.c
+++ b/epan/dissectors/packet-pop.c
@ -136,7 +136,7 @@ dissect_pop(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
  proto_tree             *pop_tree, *reqresp_tree;
  proto_item             *ti;
  gint                   offset = 0;
-  const guchar           *line;
+  guchar                 *line;
  gint                   next_offset;
  int                    linelen;
  int                    tokenlen;
@ -165,13 +165,11 @@ dissect_pop(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)

  /*
   * Find the end of the first line.
-   *
-   * Note that "tvb_find_line_end()" will return a value that is
-   * not longer than what's in the buffer, so the "tvb_get_ptr()"
-   * call won't throw an exception.
   */
  linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, FALSE);
-  line = wmem_strndup(wmem_packet_scope(), tvb_get_ptr(tvb, offset, linelen), linelen);
+  line = (guchar*)wmem_alloc(wmem_packet_scope(), linelen+1);
+  tvb_memcpy(tvb, line, offset, linelen);
+  line[linelen] = '\0';

  if (pinfo->match_uint == pinfo->destport) {
    is_request = TRUE;