Hi John, thanks, your explanation helped a lot. However I still don't get why the code crashes. Please let me use the actual buffer sizes since the ones I told before were examples. The packet is 49, the local buffer is 15.
When you call tvb_get_nstringz0() you pass in bufsize = 15. > tvb_get_nstringz0() calls _tvb_get_nstringz() > check_offset_len() runs to the end of the packet, setting len to 49. > Since len >= bufsize, it sets limit = bufsize. > stringlen = tvb_strnlen(tvb, abs_offset, limit - 1) looks at the first 9 > bytes, doesn't find a NUL, returns -1 > That's a point I don't get. This piece of code (stringlen = tvb_strnlen(tvb, 0, 14)) actually returns 49. Despite the fact that NULL is present or not, shouldn't this function fulfill the (limit - 1)? Shouldn't that return 14 at most? > stringlen is -1, tvb_memcpy copies over limit (10) bytes into buffer from > tvb, bytes_copies is set to 10, _tvb_get_nstringz() returns -1. > That's where things start to get hairy: stringlen is 49, then the actual copy starts against buffer, that is only 15 bytes long. Crash.
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
