diff options
| author | Peter Wu <peter@lekensteyn.nl> | 2016-02-20 16:02:54 +0100 |
|---|---|---|
| committer | Peter Wu <peter@lekensteyn.nl> | 2016-02-20 15:18:08 +0000 |
| commit | 3b644a75c9530b8fc60e2fa964dfb2ae327e240d (patch) | |
| tree | 4f4894c15139619ae2fdfc51de31bd660ec37f69 | |
| parent | 55b5b7caf3ec4856838b0416d5a91d3a3ff67ec8 (diff) | |
| download | wireshark-3b644a75c9530b8fc60e2fa964dfb2ae327e240d.tar.gz | |
Fix various off-by-one in buffer sizes
Some only allow buffer overruns (read), others also buffer overflows
(write).
Found by looking for '\[ *N *\]' where N is 255, 0xff, 15 and 0xf (case
insensitive).
Change-Id: I250687e2fdeb8fbd5eaf0bbb8251c3dab9640760
Reviewed-on: https://code.wireshark.org/review/14034
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
| -rw-r--r-- | epan/dissectors/packet-q2931.c | 2 | ||||
| -rw-r--r-- | epan/dissectors/packet-q931.c | 2 | ||||
| -rw-r--r-- | epan/dissectors/packet-q933.c | 2 | ||||
| -rw-r--r-- | ui/cli/tap-gsm_astat.c | 20 | ||||
| -rw-r--r-- | wiretap/catapult_dct2000.c | 2 |
5 files changed, 14 insertions, 14 deletions
diff --git a/epan/dissectors/packet-q2931.c b/epan/dissectors/packet-q2931.c index d8f5812363..c5b5bfb1a1 100644 --- a/epan/dissectors/packet-q2931.c +++ b/epan/dissectors/packet-q2931.c @@ -1873,7 +1873,7 @@ dissect_q2931(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U proto_tree *q2931_tree = NULL; proto_item *ti; guint8 call_ref_len; - guint8 call_ref[15]; + guint8 call_ref[16]; guint8 message_type; guint8 message_type_ext; guint16 message_len; diff --git a/epan/dissectors/packet-q931.c b/epan/dissectors/packet-q931.c index b4a02ae21b..654f03c004 100644 --- a/epan/dissectors/packet-q931.c +++ b/epan/dissectors/packet-q931.c @@ -2483,7 +2483,7 @@ dissect_q931_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_item *ti; guint8 prot_discr; guint8 call_ref_len; - guint8 call_ref[15]; + guint8 call_ref[16]; guint32 call_ref_val; guint8 message_type, segmented_message_type; guint8 info_element; diff --git a/epan/dissectors/packet-q933.c b/epan/dissectors/packet-q933.c index c734c90fe8..aae33a7ff4 100644 --- a/epan/dissectors/packet-q933.c +++ b/epan/dissectors/packet-q933.c @@ -1795,7 +1795,7 @@ dissect_q933(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_ proto_item *ti; proto_tree *ie_tree = NULL; guint8 call_ref_len; - guint8 call_ref[15]; + guint8 call_ref[16]; guint8 message_type; guint8 info_element; guint16 info_element_len; diff --git a/ui/cli/tap-gsm_astat.c b/ui/cli/tap-gsm_astat.c index 4454f12863..8b5bb2b5ab 100644 --- a/ui/cli/tap-gsm_astat.c +++ b/ui/cli/tap-gsm_astat.c @@ -44,16 +44,16 @@ void register_tap_listener_gsm_astat(void); typedef struct _gsm_a_stat_t { - int bssmap_message_type[0xff]; - int dtap_mm_message_type[0xff]; - int dtap_rr_message_type[0xff]; - int dtap_cc_message_type[0xff]; - int dtap_gmm_message_type[0xff]; - int dtap_sms_message_type[0xff]; - int dtap_sm_message_type[0xff]; - int dtap_ss_message_type[0xff]; - int dtap_tp_message_type[0xff]; - int sacch_rr_message_type[0xff]; + int bssmap_message_type[0x100]; + int dtap_mm_message_type[0x100]; + int dtap_rr_message_type[0x100]; + int dtap_cc_message_type[0x100]; + int dtap_gmm_message_type[0x100]; + int dtap_sms_message_type[0x100]; + int dtap_sm_message_type[0x100]; + int dtap_ss_message_type[0x100]; + int dtap_tp_message_type[0x100]; + int sacch_rr_message_type[0x100]; } gsm_a_stat_t; diff --git a/wiretap/catapult_dct2000.c b/wiretap/catapult_dct2000.c index 8fb016f03e..a42bc52b1c 100644 --- a/wiretap/catapult_dct2000.c +++ b/wiretap/catapult_dct2000.c @@ -1494,7 +1494,7 @@ hex_from_char(gchar c) /* Table allowing fast lookup from a pair of ascii hex characters to a guint8 */ -static guint8 s_tableValues[255][255]; +static guint8 s_tableValues[256][256]; /* Prepare table values so ready so don't need to check inside hex_byte_from_chars() */ static void prepare_hex_byte_from_chars_table(void) |