On Mon, Jun 10, 2002 at 12:59:20PM +1000, Peter Hawkins wrote:
> A not too dangerous one:
> packet-beep.c line 473:
> - -tvb_memcpy(tvb, int_buff, offset, MIN(sizeof(int_buff), i));
> +tvb_memcpy(tvb, int_buff, offset, MIN(sizeof(int_buff) - 1, i));
Checked in.
> An probably exploitable buffer overflow:
> packet-scsi.c line 1346:
> - -tvb_get_nstringz0 (tvb, offset, plen, str);
> +tvb_get_nstringz0(tvb, offset, MIN(plen, sizeof(str)), str);
Checked in...
...with
MIN(plen, sizeof(str))
changed to
MIN(plen, sizeof(str) - 1)
(the length argument to "tvb_get_nstringz0()" is the maximum length of
the string *not* counting the trailing '\0'), and with "str" itself
increased in length to 257 bytes (to hold the maximum-length string).
