From a66714bbad67f92e47f8b5fd5feca5743b10c258 Mon Sep 17 00:00:00 2001
From: AndersBroman <a.broman@bredband.net>
Date: Thu, 2 Jul 2015 05:51:20 +0200
Subject: Fix Buffer overrun while writing to 'airpcap_dir_utf16':  the
 writable size is '520' bytes, but '1042' bytes might be written.

Change-Id: Ic88bc977011eff9ae3c2a4a5ba717e78dbb1171c
Reviewed-on: https://code.wireshark.org/review/9452
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 caputils/ws80211_utils.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'caputils')

diff --git a/caputils/ws80211_utils.c b/caputils/ws80211_utils.c
index 6b0e7a8552..5b1b5338f5 100644
--- a/caputils/ws80211_utils.c
+++ b/caputils/ws80211_utils.c
@@ -1091,13 +1091,13 @@ const char *ws80211_get_helper_path(void)
 	if (!airpcap_conf_path && RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\AirPcap"), 0, KEY_QUERY_VALUE|KEY_WOW64_32KEY, &h_key) == ERROR_SUCCESS) {
 		DWORD reg_ret;
 		TCHAR airpcap_dir_utf16[MAX_PATH];
-		DWORD ad_size = sizeof(airpcap_dir_utf16);
+		DWORD ad_size = sizeof(airpcap_dir_utf16)/sizeof(TCHAR);
 
 		reg_ret = RegQueryValueEx(h_key, NULL, NULL, NULL,
 				(LPBYTE) &airpcap_dir_utf16, &ad_size);
 
 		if (reg_ret == ERROR_SUCCESS) {
-			airpcap_dir_utf16[ad_size] = L'\0';
+			airpcap_dir_utf16[ad_size-1] = L'\0';
 			g_free(airpcap_conf_path);
 			airpcap_conf_path = g_strdup_printf("%s\\AirpcapConf.exe", utf_16to8(airpcap_dir_utf16));
 
-- 
cgit v1.2.1