Hi John,
thanks, your explanation helped a lot. However I still don't get why the code crashes. Please let me use the actual buffer sizes since the ones I told before were examples. The packet is 49, the local buffer is 15.
When you call tvb_get_nstringz0() you pass in bufsize = 15.
tvb_get_nstringz0() calls _tvb_get_nstringz()
check_offset_len() runs to the end of the packet, setting len to 49.
Since len >= bufsize, it sets limit = bufsize.
stringlen = tvb_strnlen(tvb, abs_offset, limit - 1) looks at the first 9 bytes, doesn't find a NUL, returns -1
That's a point I don't get. This piece of code (stringlen = tvb_strnlen(tvb, 0, 14)) actually returns 49. Despite the fact that NULL is present or not, shouldn't this function fulfill the (limit - 1)? Shouldn't that return 14 at most?
stringlen is -1, tvb_memcpy copies over limit (10) bytes into buffer from tvb, bytes_copies is set to 10, _tvb_get_nstringz() returns -1.
That's where things start to get hairy: stringlen is 49, then the actual copy starts against buffer, that is only 15 bytes long. Crash.
