Ethereal-dev: Re: [Ethereal-dev] Re: ethereal 0.10.8 radius/iapp dissector vuln

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 22 Dec 2004 11:31:11 -0800
Guy Harris wrote:
The current version in SVN doesn't crash, as one of the explicit AVP length checks I added makes sure you have at least one byte present for the tag in a tagged string - although it also doesn't report that there's a bad tagged string, so I'll have to see why that is.
It's because I was treating a tagged string TLV with a length of 2 as an empty string. RFC 2868 says the length of the "tagged string" fields it mentions must be at least 3, i.e. 2 for the type+length and 1 for the tag - but it also says that the tag must be 0x00 if missing or in the range 0x01-0x1F if it's a tag, suggesting that the intent is not to use printable characters as tags, perhaps so that truly untagged fields can also be handled, which might indicate that a length of 2 corresponds to an empty string. 

I've checked in a change to require that the length be 3.