Fix Buffer overrun while writing to 'airpcap_dir_utf16': the writable

author AndersBroman <a.broman@bredband.net>

Thu, 2 Jul 2015 03:51:20 +0000 (05:51 +0200)

committer Anders Broman <a.broman58@gmail.com>

Thu, 2 Jul 2015 03:54:26 +0000 (03:54 +0000)
author AndersBroman <a.broman@bredband.net>
Thu, 2 Jul 2015 03:51:20 +0000 (05:51 +0200)
committer Anders Broman <a.broman58@gmail.com>
Thu, 2 Jul 2015 03:54:26 +0000 (03:54 +0000)
diff --git a/caputils/ws80211_utils.c b/caputils/ws80211_utils.c

index 6b0e7a8552e0930e600c6dc53bbe5ceb60d22ef7..5b1b5338f571baca4bfe2c0ff073af09784136f9 100644 (file)
--- a/caputils/ws80211_utils.c
+++ b/caputils/ws80211_utils.c
@@ -1091,13 +1091,13 @@ const char *ws80211_get_helper_path(void)
         if (!airpcap_conf_path && RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\AirPcap"), 0, KEY_QUERY_VALUE|KEY_WOW64_32KEY, &h_key) == ERROR_SUCCESS) {
                 DWORD reg_ret;
                 TCHAR airpcap_dir_utf16[MAX_PATH];
-               DWORD ad_size = sizeof(airpcap_dir_utf16);
+               DWORD ad_size = sizeof(airpcap_dir_utf16)/sizeof(TCHAR);
  
                 reg_ret = RegQueryValueEx(h_key, NULL, NULL, NULL,
                                 (LPBYTE) &airpcap_dir_utf16, &ad_size);
  
                 if (reg_ret == ERROR_SUCCESS) {
-                       airpcap_dir_utf16[ad_size] = L'\0';
+                       airpcap_dir_utf16[ad_size-1] = L'\0';
                         g_free(airpcap_conf_path);
                         airpcap_conf_path = g_strdup_printf("%s\\AirpcapConf.exe", utf_16to8(airpcap_dir_utf16));
author	AndersBroman <a.broman@bredband.net>
	Thu, 2 Jul 2015 03:51:20 +0000 (05:51 +0200)
committer	Anders Broman <a.broman58@gmail.com>
	Thu, 2 Jul 2015 03:54:26 +0000 (03:54 +0000)