diff options
author | Peter Wu <peter@lekensteyn.nl> | 2017-05-04 18:45:55 +0200 |
---|---|---|
committer | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2017-05-04 18:56:32 +0000 |
commit | 508bec78a39f0c7a2a54986b7616e4f615d6f170 (patch) | |
tree | 53b0655b6a57b982831a77d75402cf7f3fe3cef8 | |
parent | 2f35a811a33e21b06adf917051aa9a7a66c95544 (diff) | |
download | wireshark-508bec78a39f0c7a2a54986b7616e4f615d6f170.tar.gz |
bootp: fix potential buffer overflow (read)
The Vendor class Identifier is a string (used with strncmp). Be sure to
obtain a null-terminated string.
Bug: 13628
Change-Id: Ic6457da171fbfa1bd18366d965d22e942fb080d6
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1183
Bug: 13609
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1153
Reviewed-on: https://code.wireshark.org/review/21498
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
-rw-r--r-- | epan/dissectors/packet-bootp.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/epan/dissectors/packet-bootp.c b/epan/dissectors/packet-bootp.c index 6c590a6a6e..8cc49e1333 100644 --- a/epan/dissectors/packet-bootp.c +++ b/epan/dissectors/packet-bootp.c @@ -1866,7 +1866,8 @@ bootp_option(tvbuff_t *tvb, packet_info *pinfo, proto_tree *bp_tree, int voff, case 60: *vendor_class_id_p = - tvb_get_ptr(tvb, voff+2, consumed-2); + tvb_get_string_enc(wmem_packet_scope(), + tvb, voff+2, consumed-2, ENC_ASCII); break; case 119: rfc3396_dns_domain_search_list.total_number_of_block++; |