Ethereal-dev: Re: [Ethereal-dev] tvbuff.c: tvb_memcpy: assertion failed: (length >= -1) w/b

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Fri, 29 Mar 2002 14:41:27 -0800
On Sat, Mar 30, 2002 at 12:20:39AM +1100, Ronnie Sahlberg wrote:
> The problem seems to be that dissect_qfsi_vals() specifies an incorrect
> (random)
> value for length when calling get_unicode_or_ascii_string().
> 
> Since I dont have 0.9.2 installed myself line 11082 does not tell me where
> it went wrong.
> I had a quick look at dissect_qfsi_vals() and did not see anything obviously
> wrong with it.

"cvs update -rrelease-0-9-2 -p packet-smb.c" is your friend.

Line 11082 is

	case 0x0105:	/* SMB_QUERY_FS_ATTRIBUTE_INFO */
		/* FS attributes */
		CHECK_BYTE_COUNT_TRANS_SUBR(4);
		offset = dissect_fs_attributes(tvb, pinfo, tree, offset);
		*bcp -= 4;
	
		/* max name len */
		CHECK_BYTE_COUNT_TRANS_SUBR(4);
		proto_tree_add_item(tree, hf_smb_max_name_len, tvb, offset, 4, TRUE);
		COUNT_BYTES_TRANS_SUBR(4);

		/* fs name length */
		CHECK_BYTE_COUNT_TRANS_SUBR(4);
		fnl = tvb_get_letohl(tvb, offset);
		proto_tree_add_uint(tree, hf_smb_fs_name_len, tvb, offset, 4, fnl);
		COUNT_BYTES_TRANS_SUBR(4);

		/* label */
		fn_len = fnl;
--------->	fn = get_unicode_or_ascii_string(tvb, &offset, pinfo, &fn_len, FALSE, TRUE, bcp);
		CHECK_STRING_TRANS_SUBR(fn);
		proto_tree_add_string(tree, hf_smb_fs_name, tvb, offset, fn_len,
			fn);
		COUNT_BYTES_TRANS_SUBR(fn_len);

		break;

I suspect the value isn't random in the sense that it's uninitialized, I
suspect that either

	1) we're somehow misdissecting the SMB message

or

	2) the message is malformed, with a bogus name length.