diff options
author | Bill Meier <wmeier@newsguy.com> | 2012-07-29 18:17:17 +0000 |
---|---|---|
committer | Bill Meier <wmeier@newsguy.com> | 2012-07-29 18:17:17 +0000 |
commit | 7a22f13aa024cddb24f4063721e2d1a22ae9a362 (patch) | |
tree | 76c1b848dbd248ebf2fb3df54f858c0163cd5596 | |
parent | 2f328434f2ed1bb74601869027dc391c3431f723 (diff) | |
download | wireshark-7a22f13aa024cddb24f4063721e2d1a22ae9a362.tar.gz |
Fix crash when "file_name_snooping" & "file_full_name_snooping" prefs enabled.
Crash due to a g_snprintf() incorrect (too large) "max number of bytes" parameter.
Note that g_snprintf() apparently writes to (initializes ?) bytes beyond the
actual string written.
Fixes Bug #7948: (To be confirmed by the user)
See: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7498
svn path=/trunk/; revision=44111
-rw-r--r-- | epan/dissectors/packet-nfs.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/epan/dissectors/packet-nfs.c b/epan/dissectors/packet-nfs.c index bfdffaa7f6..6b4912744a 100644 --- a/epan/dissectors/packet-nfs.c +++ b/epan/dissectors/packet-nfs.c @@ -1092,6 +1092,7 @@ nfs_full_name_snoop(nfs_name_snoop_t *nns, int *len, char **name, char **pos) *pos = *name; *pos += g_snprintf(*pos, (*len)+1, "%s", nns->name); + g_assert((*pos-*name) <= *len); return; } @@ -1105,7 +1106,8 @@ nfs_full_name_snoop(nfs_name_snoop_t *nns, int *len, char **name, char **pos) nfs_full_name_snoop(parent_nns, len, name, pos); if(*name){ /* make sure components are '/' separated */ - *pos += g_snprintf(*pos, (*len)+1, "%s%s", ((*pos)[-1]!='/')?"/":"", nns->name); + *pos += g_snprintf(*pos, (*len+1) - (*pos-*name), "%s%s", ((*pos)[-1]!='/')?"/":"", nns->name); + g_assert((*pos-*name) <= *len); } return; } |