Wireshark · Ethereal-dev: [Ethereal-dev] Re: ethereal 0.10.8 radius/iapp dissector vuln

Ethereal-dev: [Ethereal-dev] Re: ethereal 0.10.8 radius/iapp dissector vuln

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jonathan Heusser <jonny@xxxxxxxxxxxx>

Date: Wed, 22 Dec 2004 19:55:04 +0100

If the fourth argument to "rdconvertbufftostr()" is negative, there's abug in whatever code is calling it.


Depends where you're normally fixing bugs..

In many cases, it's not ever going to be negative; [...]

There is at least one case (tagged strings) where it doesn't check thatthe length is >= 3 - and, in fact, there are other non-string parametersthat also need length checks; "rd_value_to_str()" should be doing thosechecks.


The attached file is an example packet which let ethereal crash, (ab)using the
tagged string case.

A simple fix would be to bail out when 'length' is negative.

"Bailing out" should be done with [..]


As I said, a simple fix.

jonathan heusser

--
Key fingerprint = 2A55 EB7C B7EA 6336 7767  4A47 910A 307B 1333 BD6C

Attachment: rdconverttrigger.dump
Description: Binary data

Follow-Ups:
- [Ethereal-dev] Re: ethereal 0.10.8 radius/iapp dissector vuln
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] Problems in Compiling Ethereal-0.10.8
Next by Date: [Ethereal-dev] Re: ethereal 0.10.8 radius/iapp dissector vuln
Previous by thread: Re: [Ethereal-dev] Problems in Compiling Ethereal-0.10.8
Next by thread: [Ethereal-dev] Re: ethereal 0.10.8 radius/iapp dissector vuln
Index(es):
- Date
- Thread