https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7552
--- Comment #9 from David Drysdale <drysdale@xxxxxxxxxx> 2012-08-31 02:07:19 PDT ---
(In reply to comment #7)
> Guys,
>
> This looks pretty dangerous:
> tvb_memcpy(tvb, ip_addr.bytes, cur_offset, (optlen - 4));
>
> optlen is fetched from tvb, and it only needs to be smaller than rropt_len.
> When optlen < 4 tvb_memcpy() should throw exception, but with optlen > 16
> (sizeof ip_addr) we'll have buffer overflow.
Good spot; would a MIN() fix the problem?
Index: packet-dns.c
===================================================================
--- packet-dns.c (revision 44708)
+++ packet-dns.c (working copy)
@@ -2299,7 +2299,7 @@
proto_tree_add_item(rropt_tree, hf_dns_rr_opt_client_scope, tvb,
cur_offset, 1, ENC_BIG_ENDIAN);
cur_offset += 1;
- tvb_memcpy(tvb, ip_addr.bytes, cur_offset, (optlen - 4));
+ tvb_memcpy(tvb, ip_addr.bytes, cur_offset, MIN((size_t)(optlen -
4), sizeof(ip_addr)));
switch(family) {
case AFNUM_INET:
proto_tree_add_ipv4(rropt_tree, hf_dns_rr_opt_client_addr4, tvb,
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
