From 9fe2de783dbcbe74144678d60a4e3923367044b2 Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Fri, 21 Feb 2020 10:19:35 -0800
Subject: [PATCH] EAP: Remove a couple of string length assumptions.

Don't assume our MNC and MCC string lengths are > 3.

Bug: 16397
Change-Id: I0759dcb9d0c5f078cf3a98e9323d9cb741e15dd4
Reviewed-on: https://code.wireshark.org/review/36146
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(cherry picked from commit 8bda8642dfc8c9a870c6a48771566012353cc898)
Reviewed-on: https://code.wireshark.org/review/36173
---
 epan/dissectors/packet-eap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/epan/dissectors/packet-eap.c b/epan/dissectors/packet-eap.c
index a4b1527957..c3fc33fb07 100644
--- a/epan/dissectors/packet-eap.c
+++ b/epan/dissectors/packet-eap.c
@@ -594,7 +594,8 @@ dissect_eap_identity_wlan(tvbuff_t *tvb, packet_info* pinfo, proto_tree* tree, i
   }
 
   /* guess if we have a 3 bytes mnc by comparing the first bytes with the imsi */
-  if (!sscanf(tokens[2] + 3, "%u", &mnc) || !sscanf(tokens[3] + 3, "%u", &mcc)) {
+  /* XXX Should we force matches on "mnc" and "mmc"? */
+  if (!sscanf(tokens[2], "%*3c%u", &mnc) || !sscanf(tokens[3], "%*3c%u", &mcc)) {
     ret = FALSE;
     goto end;
   }