Re: tvb_get_nstringz0

[Dario Lombardo <lomato () gmail com>]

Hi John,
thanks, your explanation helped a lot. However I still don't get why the
code crashes. Please let me use the actual buffer sizes since the ones I
told before were examples. The packet is 49, the local buffer is 15.

When you call tvb_get_nstringz0() you pass in bufsize = 15.
> tvb_get_nstringz0() calls _tvb_get_nstringz()
> check_offset_len() runs to the end of the packet, setting len to 49.
> Since len >= bufsize, it sets limit = bufsize.
> stringlen = tvb_strnlen(tvb, abs_offset, limit - 1) looks at the first 9
> bytes, doesn't find a NUL, returns -1

That's a point I don't get. This piece of code (stringlen =
tvb_strnlen(tvb, 0, 14)) actually returns 49. Despite the fact that NULL is
present or not, shouldn't this function fulfill the (limit - 1)? Shouldn't
that return 14 at most?


> stringlen is -1, tvb_memcpy copies over limit (10) bytes into buffer from
> tvb, bytes_copies is set to 10, _tvb_get_nstringz() returns -1.

That's where things start to get hairy: stringlen is 49, then the actual
copy starts against buffer, that is only 15 bytes long. Crash.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe