Ethereal-dev: [Ethereal-dev] Possible problem in packet-smb-common.c [negative length tvb_memc

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Yaniv Kaul <ykaul@xxxxxxxxxxxx>
Date: Wed, 31 Mar 2004 10:46:29 +0200
Just from reading the code, it seems there's a potential problem of copying a negative sized buffer in get_unicode_or_ascii_string(), and specifically, in:
     copylen = *len;
     if (copylen > MAX_UNICODE_STR_LEN)
       copylen = MAX_UNICODE_STR_LEN;
     tvb_memcpy(tvb, (guint8 *)cur, *offsetp, copylen);
     cur[copylen] = '\0';


len is an int:
const gchar *
get_unicode_or_ascii_string(tvbuff_t *tvb, int *offsetp,
   gboolean useunicode, int *len, gboolean nopad, gboolean exactlen,
   guint16 *bcp)
{


The above problem may arise if exactlen is positive, and *len is negative - which seems it might happen. For example, in packet-smb.c:
/* label */
       fn_len = fnl;
fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, FALSE, TRUE, bcp);

a bit earlier above:
       fnl = tvb_get_letohl(tvb, offset);
and the variables declaration:
   int fn_len, vll, fnl;


Again, this is all just from code reading, so I might be wrong here.