From 508bec78a39f0c7a2a54986b7616e4f615d6f170 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Thu, 4 May 2017 18:45:55 +0200
Subject: bootp: fix potential buffer overflow (read)

The Vendor class Identifier is a string (used with strncmp). Be sure to
obtain a null-terminated string.

Bug: 13628
Change-Id: Ic6457da171fbfa1bd18366d965d22e942fb080d6
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1183
Bug: 13609
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1153
Reviewed-on: https://code.wireshark.org/review/21498
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
---
 epan/dissectors/packet-bootp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/epan/dissectors/packet-bootp.c b/epan/dissectors/packet-bootp.c
index 6c590a6a6e..8cc49e1333 100644
--- a/epan/dissectors/packet-bootp.c
+++ b/epan/dissectors/packet-bootp.c
@@ -1866,7 +1866,8 @@ bootp_option(tvbuff_t *tvb, packet_info *pinfo, proto_tree *bp_tree, int voff,
 
 			case 60:
 				*vendor_class_id_p =
-				    tvb_get_ptr(tvb, voff+2, consumed-2);
+					tvb_get_string_enc(wmem_packet_scope(),
+					tvb, voff+2, consumed-2, ENC_ASCII);
 				break;
 			case 119:
 				rfc3396_dns_domain_search_list.total_number_of_block++;
-- 
cgit v1.2.1