Ethereal-users: Re: [Ethereal-users] Segmentation Fault - solved

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Sebastian Felis <felis@xxxxxxxxxxxxx>
Date: Wed, 10 Nov 2004 16:30:49 +0100
On Tue, 2004-11-09 at 21:04, Guy Harris wrote: 
> Sebastian Felis wrote:
> 
> > I attached a small dump file which crashes tethereal by following
> > minimal parameters (at least on my box).
> 
> It doesn't do so on my OS X machine with the current SVN source.  What 
> version of Ethereal do you have installed?  If it's not 0.10.7, try 
> running 0.10.7.

It's crashing also with nightly build of 2004-11-09 on my system.

But after some trys the problem was fixed.

Description:
	In tethereal.c around line 2820 there is a buffer length check
 	for the output line. If the buffer is too small it will doubled
 	another overflow check isn't done.

Bug: 
	If new column string is greater than doubled buffer length an
 	overflow will occur.


A patch for current svn version 12505 is attached


Best regards

Sebastian
Index: tethereal.c
===================================================================
--- tethereal.c	(revision 12505)
+++ tethereal.c	(working copy)
@@ -2750,7 +2750,9 @@
       if (column_len < 3)
         column_len = 3;
       if (buf_offset + column_len > line_buf_len) {
-        line_buf_len *= 2;
+        while (buf_offset + column_len > line_buf_len) {
+          line_buf_len *= 2;
+        }
         line_bufp = g_realloc(line_bufp, line_buf_len + 1);
       }
       snprintf(line_bufp + buf_offset, COL_MAX_LEN+1, "%3s", cf->cinfo.col_data[i]);
@@ -2764,7 +2766,9 @@
       if (column_len < 10)
         column_len = 10;
       if (buf_offset + column_len > line_buf_len) {
-        line_buf_len *= 2;
+        while (buf_offset + column_len > line_buf_len) {
+          line_buf_len *= 2;
+        }
         line_bufp = g_realloc(line_bufp, line_buf_len + 1);
       }
       snprintf(line_bufp + buf_offset, COL_MAX_LEN+1, "%10s", cf->cinfo.col_data[i]);
@@ -2783,7 +2787,9 @@
       if (column_len < 12)
         column_len = 12;
       if (buf_offset + column_len > line_buf_len) {
-        line_buf_len *= 2;
+        while (buf_offset + column_len > line_buf_len) {
+          line_buf_len *= 2;
+        }
         line_bufp = g_realloc(line_bufp, line_buf_len + 1);
       }
       snprintf(line_bufp + buf_offset, COL_MAX_LEN+1, "%12s", cf->cinfo.col_data[i]);
@@ -2802,7 +2808,9 @@
       if (column_len < 12)
         column_len = 12;
       if (buf_offset + column_len > line_buf_len) {
-        line_buf_len *= 2;
+        while (buf_offset + column_len > line_buf_len) {
+          line_buf_len *= 2;
+        }
         line_bufp = g_realloc(line_bufp, line_buf_len + 1);
       }
       snprintf(line_bufp + buf_offset, COL_MAX_LEN+1, "%-12s", cf->cinfo.col_data[i]);
@@ -2811,7 +2819,9 @@
     default:
       column_len = strlen(cf->cinfo.col_data[i]);
       if (buf_offset + column_len > line_buf_len) {
-        line_buf_len *= 2;
+        while (buf_offset + column_len > line_buf_len) {
+            line_buf_len *= 2;
+        }
         line_bufp = g_realloc(line_bufp, line_buf_len + 1);
       }
       strcat(line_bufp + buf_offset, cf->cinfo.col_data[i]);
@@ -2834,7 +2844,9 @@
        * even if we're only adding " ".
        */
       if (buf_offset + 4 > line_buf_len) {
-        line_buf_len *= 2;
+        while (buf_offset + 4 > line_buf_len) {  
+          line_buf_len *= 2;
+        }
         line_bufp = g_realloc(line_bufp, line_buf_len + 1);
       }
       switch (cf->cinfo.col_fmt[i]) {