Fix crash when "file_name_snooping" & "file_full_name_snooping" prefs enabled.

Crash due to a g_snprintf() incorrect (too large) "max number of bytes" parameter. Note that g_snprintf() apparently writes to (initializes ?) bytes beyond the actual string written. Fixes Bug #7948: (To be confirmed by the user) See: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7498 svn path=/trunk/; revision=44111
author: Bill Meier <wmeier@newsguy.com> 2012-07-29 18:17:17 +0000
committer: Bill Meier <wmeier@newsguy.com> 2012-07-29 18:17:17 +0000
commit: 7a22f13aa024cddb24f4063721e2d1a22ae9a362 (patch)
tree: 76c1b848dbd248ebf2fb3df54f858c0163cd5596
parent: 2f328434f2ed1bb74601869027dc391c3431f723 (diff)
download: wireshark-7a22f13aa024cddb24f4063721e2d1a22ae9a362.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/epan/dissectors/packet-nfs.c b/epan/dissectors/packet-nfs.c
index bfdffaa7f6..6b4912744a 100644
--- a/epan/dissectors/packet-nfs.c
+++ b/epan/dissectors/packet-nfs.c
@@ -1092,6 +1092,7 @@ nfs_full_name_snoop(nfs_name_snoop_t *nns, int *len, char **name, char **pos)
 		*pos = *name;
 
 		*pos += g_snprintf(*pos, (*len)+1, "%s", nns->name);
+		g_assert((*pos-*name) <= *len);
 		return;
 	}
 
@@ -1105,7 +1106,8 @@ nfs_full_name_snoop(nfs_name_snoop_t *nns, int *len, char **name, char **pos)
 		nfs_full_name_snoop(parent_nns, len, name, pos);
 		if(*name){
 			/* make sure components are '/' separated */
-			*pos += g_snprintf(*pos, (*len)+1, "%s%s", ((*pos)[-1]!='/')?"/":"", nns->name);
+			*pos += g_snprintf(*pos, (*len+1) - (*pos-*name), "%s%s", ((*pos)[-1]!='/')?"/":"", nns->name);
+			g_assert((*pos-*name) <= *len);
 		}
 		return;
 	}
author	Bill Meier <wmeier@newsguy.com>	2012-07-29 18:17:17 +0000
committer	Bill Meier <wmeier@newsguy.com>	2012-07-29 18:17:17 +0000
commit	7a22f13aa024cddb24f4063721e2d1a22ae9a362 (patch)
tree	76c1b848dbd248ebf2fb3df54f858c0163cd5596
parent	2f328434f2ed1bb74601869027dc391c3431f723 (diff)
download	wireshark-7a22f13aa024cddb24f4063721e2d1a22ae9a362.tar.gz