From Neil Kettle

Fix two potential buffer overflow bugs in fc els

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@14027 f5534014-38df-0310-8fa8-9805f1628bb7

diff --git a/AUTHORS b/AUTHORS
index 525135319faf4bab3e5cbaaff28208b179203c52..1b2a4b2660d7a561a69362872f7feeb4a8695fd3 100644 (file)
--- a/AUTHORS
+++ b/AUTHORS
@@ -2429,6 +2429,7 @@ Jaap Keuter               <jaap.keuter [AT] xs4all.nl>
 Frederic Peters                <fpeters [AT] debian.org>
 Anton Ivanov           <anthony_johnson [AT] mail.ru>
 Ilya Konstantinov      <future [AT] shiny.co.il> 
+Neil Kettle            <njk4 [AT] kent.ac.uk>
 
 Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to
 give his permission to use his version of snprintf.c.

diff --git a/epan/dissectors/packet-fcels.c b/epan/dissectors/packet-fcels.c
index 8b1ae55c37debf62bd1e8e00c480f63c91d1ed52..3dcb582c2f902a6d56f8d82a750a91eda025dd7f 100644 (file)
--- a/epan/dissectors/packet-fcels.c
+++ b/epan/dissectors/packet-fcels.c
@@ -476,6 +476,9 @@ construct_rcptctl_string (guint16 flag, gchar *flagstr, guint8 opcode)
     }
 }
 
+/* Maximum length of possible string from, construct_*_string
+ * 296 bytes, FIX possible buffer overflow */
+#define FCELS_LOGI_MAXSTRINGLEN 512
 
 static void
 dissect_fcels_logi (tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
@@ -487,7 +490,7 @@ dissect_fcels_logi (tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
         class;
     proto_tree *logi_tree, *cmnsvc_tree;
     proto_item *subti;
-    gchar flagstr[256];
+    gchar flagstr[FCELS_LOGI_MAXSTRINGLEN];
     guint16 flag;
     
     if (tree) {
@@ -1064,6 +1067,10 @@ dissect_fcels_lsts (tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
     }
 }
 
+/* Maximum length of possible string from, dissect_fcels_prlilo_payload
+ * 119 bytes, FIX possible buffer overflow */
+#define FCELS_PRLILO_MAXSTRINGLEN 256
+
 static void
 dissect_fcels_prlilo_payload (tvbuff_t *tvb, packet_info *pinfo _U_,
                               guint8 isreq, proto_item *ti, guint8 opcode)
@@ -1074,7 +1081,7 @@ dissect_fcels_prlilo_payload (tvbuff_t *tvb, packet_info *pinfo _U_,
     proto_tree *prli_tree, *svcpg_tree;
     int num_svcpg, payload_len, i, flag;
     proto_item *subti;
-    gchar flagstr[100];
+    gchar flagstr[FCELS_PRLILO_MAXSTRINGLEN];
 
     /* We're assuming that we're invoked only if tree is not NULL i.e.
      * we don't do the usual "if (tree)" check here, the caller must.