From 48fac2a18debb2969413e03f3d88bbb9c31500ae Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Mon, 14 May 2018 17:29:52 +0200
Subject: gsm_a_dtap: fix off-by-one buffer overflow (write)

The output buffer needs one more byte for the string terminator.

Bug: 14688
Change-Id: I7d606aa8fb769fd65ba894f0472ada3543a1e3cd
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6420
Reviewed-on: https://code.wireshark.org/review/27539
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 epan/dissectors/packet-gsm_a_dtap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/epan/dissectors/packet-gsm_a_dtap.c b/epan/dissectors/packet-gsm_a_dtap.c
index 9c100a45c9..d15e219301 100644
--- a/epan/dissectors/packet-gsm_a_dtap.c
+++ b/epan/dissectors/packet-gsm_a_dtap.c
@@ -2334,7 +2334,7 @@ de_sub_addr(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, guint32 offset,
         {
             ia5_string_len = len - (curr_offset - offset);
             ia5_string = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, curr_offset, ia5_string_len);
-            *extracted_address = (gchar *)wmem_alloc(wmem_packet_scope(), ia5_string_len);
+            *extracted_address = (gchar *)wmem_alloc(wmem_packet_scope(), ia5_string_len + 1);
 
             invalid_ia5_char = FALSE;
             for(i = 0; i < ia5_string_len; i++)
-- 
cgit v1.2.3