(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-mount.c) |
| |
| 267 | | | dissect_group(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree) |
| 268 | | | { |
| 269 | | | int len,str_len; |
| 270 | | | len=tvb_get_ntohl(tvb,offset); |
| 271 | | | if (group_names_len < MAX_GROUP_NAME_LIST - 5) { |
Event 1:
Taking true branch. group_names_len < 128 - 5 evaluates to true.
hide
|
|
| 272 | | | str_len=tvb_get_nstringz(tvb,offset+4, |
| 273 | | | MAX_GROUP_NAME_LIST-5-group_names_len, |
| 274 | | | group_name_list+group_names_len); |
| 275 | | | if((group_names_len>=(MAX_GROUP_NAME_LIST-5))||(str_len<0)){ |
| 276 | | | g_snprintf(group_name_list+(MAX_GROUP_NAME_LIST-5), 5, "..."); |
| 277 | | | group_names_len=MAX_GROUP_NAME_LIST; |
Event 4:
group_names_len is set to 128. - This determines the position accessed in the buffer during the buffer overrun later.
hide
|
|
| 278 | | | } else { |
| 279 | | | group_names_len+=str_len; |
| 280 | | | group_name_list[group_names_len++]=' '; |
| 281 | | | } |
| 282 | | | group_name_list[group_names_len]=0; |
Buffer Overrun
This code writes past the end of group_name_list. - The byte written is at offset group_names_len from the beginning of group_name_list, whose capacity is 128 bytes.
- The offset exceeds the capacity.
- group_names_len evaluates to 128. See related event 4.
- The overrun occurs in static memory.
The issue can occur if the highlighted code executes. See related event 4. Show: All events | Only primary events |
|
| |