X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/9a6a6502413e657277e74ac1d0842ddca34cab50..44d21c36a135710261a1ae9733f12bf9ef9c2aa6:/smbutil.c

diff --git a/smbutil.c b/smbutil.c
index 92c3f42a..a8203bf6 100644
--- a/smbutil.c
+++ b/smbutil.c
@@ -422,7 +422,7 @@ unistr(netdissect_options *ndo, char (*buf)[MAX_UNISTR_SIZE+1],
 	    if (l < MAX_UNISTR_SIZE) {
 		if (ND_ASCII_ISPRINT(c)) {
 		    /* It's a printable ASCII character */
-		    (*buf)[l] = c;
+		    (*buf)[l] = (char)c;
 		} else {
 		    /* It's a non-ASCII character or a non-printable ASCII character */
 		    (*buf)[l] = '.';
@@ -454,7 +454,7 @@ unistr(netdissect_options *ndo, char (*buf)[MAX_UNISTR_SIZE+1],
 	    if (l < MAX_UNISTR_SIZE) {
 		if (ND_ASCII_ISPRINT(c)) {
 		    /* It's a printable ASCII character */
-		    (*buf)[l] = c;
+		    (*buf)[l] = (char)c;
 		} else {
 		    /* It's a non-ASCII character or a non-printable ASCII character */
 		    (*buf)[l] = '.';
@@ -873,11 +873,26 @@ smb_fdata(netdissect_options *ndo,
     while (*fmt) {
 	switch (*fmt) {
 	case '*':
+	    /*
+	     * List of multiple instances of something described by the
+	     * remainder of the string (which may itself include a list
+	     * of multiple instances of something, so we recurse).
+	     */
 	    fmt++;
 	    while (buf < maxbuf) {
 		const u_char *buf2;
 		depth++;
-		buf2 = smb_fdata(ndo, buf, fmt, maxbuf, unicodestr);
+		/*
+		 * In order to avoid stack exhaustion recurse at most 10
+		 * levels; that "should not happen", as no SMB structure
+		 * should be nested *that* deeply, and we thus shouldn't
+		 * have format strings with that level of nesting.
+		 */
+		if (depth == 10) {
+			ND_PRINT("(too many nested levels, not recursing)");
+			buf2 = buf;
+		} else
+			buf2 = smb_fdata(ndo, buf, fmt, maxbuf, unicodestr);
 		depth--;
 		if (buf2 == NULL)
 		    return(NULL);
@@ -888,22 +903,35 @@ smb_fdata(netdissect_options *ndo,
 	    return(buf);
 
 	case '|':
+	    /*
+	     * Just do a bounds check.
+	     */
 	    fmt++;
 	    if (buf >= maxbuf)
 		return(buf);
 	    break;
 
 	case '%':
+	    /*
+	     * XXX - unused?
+	     */
 	    fmt++;
 	    buf = maxbuf;
 	    break;
 
 	case '#':
+	    /*
+	     * Done?
+	     */
 	    fmt++;
 	    return(buf);
 	    break;
 
 	case '[':
+	    /*
+	     * Format of an item, enclosed in square brackets; dissect
+	     * the item with smb_fdata1().
+	     */
 	    fmt++;
 	    if (buf >= maxbuf)
 		return(buf);
@@ -931,6 +959,9 @@ smb_fdata(netdissect_options *ndo,
 	    break;
 
 	default:
+	    /*
+	     * Not a formatting character, so just print it.
+	     */
 	    ND_PRINT("%c", *fmt);
 	    fmt++;
 	    break;