Ethereal-dev: [Ethereal-dev] Ethereal patch for ieee80211

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Neil Kettle" <njk4@xxxxxxxxxx>
Date: Fri, 8 Apr 2005 13:30:22 +0100
Hi,

Find enclosed another patch, this time for the ieee80211 dissector. This will fix an
off-by-one
overflow in the out_buff buffer. When tag_len = 255 it was possible to write a single NULL
to out_buff[tag_len+1] which would be out_buff[256] when out_buff is SHORT_STR = 256
bytes long. We don't believe this to be exploitable, since your saved by the stack layout
(but you never know).

______________________________________________________________________

Neil K
(njk4@xxxxxxxxxx)
(mu-b@xxxxxxxxxxxxxx)

--- packet-ieee80211.orig       2005-03-10 15:53:42.000000000 +0000
+++ packet-ieee80211.c  2005-04-08 13:18:35.860059000 +0100
@@ -1220,10 +1220,10 @@
     {

     case TAG_SSID:
-      memset (out_buff, 0, SHORT_STR);
-
+      /*memset (out_buff, 0, SHORT_STR);*/ /* why do this? */
       memcpy (out_buff, tag_data_ptr, (size_t) tag_len);
-      out_buff[tag_len + 1] = 0;
+      out_buff[tag_len] = 0; /* 0 <= tag_len <= 255 and SHORT_STR = 256 */
+
       for (i = 0; i < tag_len; i++) {
          if (!isprint( (int) out_buff[i])) {
              print_buff[i]='.';